diff --git a/lib/modules/SSL.pmod/Constants.pmod b/lib/modules/SSL.pmod/Constants.pmod
index 4c0e23143ad83612d43c8b50e8f1acf375a7ba25..0acf866390afc46832722465b6797de3140ecf23 100644
--- a/lib/modules/SSL.pmod/Constants.pmod
+++ b/lib/modules/SSL.pmod/Constants.pmod
@@ -84,6 +84,8 @@ enum ProtocolVersion {
//! Max supported SSL version.
constant PROTOCOL_major = 3;
constant PROTOCOL_minor = PROTOCOL_TLS_1_2;
+constant PROTOCOL_SSL_MAX = PROTOCOL_TLS_1_2;
+constant PROTOCOL_TLS_MAX = PROTOCOL_TLS_1_2;
/* Packet types */
constant PACKET_change_cipher_spec = 20; // RFC 5246
diff --git a/lib/modules/SSL.pmod/connection.pike b/lib/modules/SSL.pmod/connection.pike
index 42057d68cf3e6f9ca250c483560f8967ac92c0f3..f7f74213f853b18081ae0c4134ceb5a08c1717d4 100644
--- a/lib/modules/SSL.pmod/connection.pike
+++ b/lib/modules/SSL.pmod/connection.pike
@@ -48,16 +48,14 @@ inherit ADT.Queue : alert;
inherit ADT.Queue : urgent;
inherit ADT.Queue : application;
-void create(int is_server, void|SSL.context ctx,
- void|ProtocolVersion min_version,
- void|ProtocolVersion max_version)
+void create(int is_server, void|SSL.context ctx)
{
alert::create();
urgent::create();
application::create();
current_read_state = SSL.state(this);
current_write_state = SSL.state(this);
- handshake::create(is_server, ctx, min_version, max_version);
+ handshake::create(is_server, ctx);
}
#if 0
diff --git a/lib/modules/SSL.pmod/context.pike b/lib/modules/SSL.pmod/context.pike
index 05c9441ff1e9156dbab5bffcb7494aec7fd19b67..a8fa98f79efb0ab05f9d5c7de0279dd51f14256a 100644
--- a/lib/modules/SSL.pmod/context.pike
+++ b/lib/modules/SSL.pmod/context.pike
@@ -41,6 +41,22 @@
import .Constants;
+//! The minimum supported protocol version.
+//!
+//! Defaults to @[PROTOCOL_SSL_3_0].
+//!
+//! @note
+//! This value should not be greater than @[max_version].
+ProtocolVersion min_version = PROTOCOL_SSL_3_0;
+
+//! The maximum supported protocol version.
+//!
+//! Defaults to @[PROTOCOL_TLS_MAX].
+//!
+//! @note
+//! This value should not be less than @[min_version].
+ProtocolVersion max_version = PROTOCOL_TLS_MAX;
+
//! The server's default private key.
//!
//! Supported key types are currently:
diff --git a/lib/modules/SSL.pmod/handshake.pike b/lib/modules/SSL.pmod/handshake.pike
index c03424c105fb45ce877e4103c404d64a4a8102f1..d85960970fba49451ce25f5b5207fa0d7ef00b99 100644
--- a/lib/modules/SSL.pmod/handshake.pike
+++ b/lib/modules/SSL.pmod/handshake.pike
@@ -64,7 +64,6 @@ string(0..255) server_verify_data = "";
//! The active @[Cipher.KeyExchange] (if any).
.Cipher.KeyExchange ke;
-ProtocolVersion min_version = PROTOCOL_SSL_3_0;
array(int) version;
array(int) client_version; /* Used to check for version roll-back attacks. */
int reuse;
@@ -747,7 +746,7 @@ int(-1..1) handle_handshake(int type, string(0..255) data, string(0..255) raw)
return -1;
}
if ((client_version[0] != PROTOCOL_major) ||
- (client_version[1] < min_version)) {
+ (client_version[1] < context->min_version)) {
SSL3_DEBUG_MSG("Unsupported version of SSL: %d.%d.\n",
client_version[0], client_version[1]);
send_packet(Alert(ALERT_fatal, ALERT_protocol_version, version[1],
@@ -1178,7 +1177,7 @@ int(-1..1) handle_handshake(int type, string(0..255) data, string(0..255) raw)
}
if ((client_version[0] != PROTOCOL_major) ||
- (client_version[1] < min_version)) {
+ (client_version[1] < context->min_version)) {
SSL3_DEBUG_MSG("Unsupported version of SSL: %d.%d.\n",
client_version[0], client_version[1]);
send_packet(Alert(ALERT_fatal, ALERT_protocol_version, version[1],
@@ -1510,7 +1509,8 @@ int(-1..1) handle_handshake(int type, string(0..255) data, string(0..255) raw)
return -1;
}
- if ((version[0] != PROTOCOL_major) || (version[1] < min_version)) {
+ if ((version[0] != PROTOCOL_major) ||
+ (version[1] < context->min_version)) {
SSL3_DEBUG_MSG("Unsupported version of SSL: %d.%d.\n",
version[0], version[1]);
version = client_version + ({});
@@ -1909,15 +1909,7 @@ int(-1..1) handle_handshake(int type, string(0..255) data, string(0..255) raw)
//! Whether this is the server end of the connection or not.
//! @param ctx
//! The context for the connection.
-//! @param min_version
-//! Minimum version of SSL to support.
-//! Defaults to @[Constants.PROTOCOL_SSL_3_0].
-//! @param max_version
-//! Maximum version of SSL to support.
-//! Defaults to @[Constants.PROTOCOL_minor].
-void create(int is_server, void|SSL.context ctx,
- void|ProtocolVersion min_version,
- void|ProtocolVersion max_version)
+void create(int is_server, void|SSL.context ctx)
{
#ifdef SSL3_PROFILING
@@ -1925,20 +1917,18 @@ void create(int is_server, void|SSL.context ctx,
Stdio.stdout.write("New...\n");
#endif
- if (zero_type(max_version) || (max_version < PROTOCOL_SSL_3_0) ||
- (max_version > PROTOCOL_minor)) {
- max_version = PROTOCOL_minor;
+ if ((ctx->max_version < PROTOCOL_SSL_3_0) ||
+ (ctx->max_version > PROTOCOL_TLS_MAX)) {
+ ctx->max_version = PROTOCOL_TLS_MAX;
}
- if (zero_type(min_version) || (min_version < PROTOCOL_SSL_3_0)) {
- min_version = PROTOCOL_SSL_3_0;
- } else if (min_version > max_version) {
- min_version = max_version;
+ if (ctx->min_version < PROTOCOL_SSL_3_0) {
+ ctx->min_version = PROTOCOL_SSL_3_0;
+ } else if (ctx->min_version > ctx->max_version) {
+ ctx->min_version = ctx->max_version;
}
- this_program::min_version = min_version;
-
- version = ({ PROTOCOL_major, max_version });
+ version = ({ PROTOCOL_major, ctx->max_version });
context = ctx;
if (is_server)
diff --git a/lib/modules/SSL.pmod/sslfile.pike b/lib/modules/SSL.pmod/sslfile.pike
index c5e13a933c845699a455d39bb5bc484515d4c706..cac5635d553096c00f5b0e848dd4a3094af74863 100644
--- a/lib/modules/SSL.pmod/sslfile.pike
+++ b/lib/modules/SSL.pmod/sslfile.pike
@@ -456,9 +456,7 @@ protected THREAD_T op_thread;
} while (0)
protected void create (Stdio.File stream, SSL.context ctx,
- int|void is_client, int|void is_blocking,
- SSL.Constants.ProtocolVersion|void min_version,
- SSL.Constants.ProtocolVersion|void max_version)
+ int|void is_client, int|void is_blocking)
//! Create an SSL connection over an open @[stream].
//!
//! @param stream
@@ -475,14 +473,6 @@ protected void create (Stdio.File stream, SSL.context ctx,
//! If is set then the stream is initially set in blocking
//! mode, nonblocking mode otherwise.
//!
-//! @param min_version
-//! The minimum minor version of SSL to support.
-//! Defaults to @[PROTOCOL_SSL_3_0].
-//!
-//! @param max_version
-//! The maximum minor version of SSL to support.
-//! Defaults to @[PROTOCOL_minor].
-//!
//! The backend used by @[stream] is taken over and restored after the
//! connection is closed (see @[close] and @[shutdown]). The callbacks
//! and id in @[stream] are overwritten.
@@ -522,7 +512,7 @@ protected void create (Stdio.File stream, SSL.context ctx,
stream->set_id (1);
packet_max_size = limit(1, ctx->packet_max_size, SSL.Constants.PACKET_MAX_SIZE);
- conn = SSL.connection (!is_client, ctx, min_version, max_version);
+ conn = SSL.connection (!is_client, ctx);
if(is_blocking) {
set_blocking();
diff --git a/lib/modules/SSL.pmod/testsuite.in b/lib/modules/SSL.pmod/testsuite.in
index 9b043ee591d70185d37744603de77e56889e49c5..99ba75d4b2b916951edc430e962a7dc4ad0989dd 100644
--- a/lib/modules/SSL.pmod/testsuite.in
+++ b/lib/modules/SSL.pmod/testsuite.in
@@ -381,8 +381,10 @@ test_do([[
Stdio.File server_con =
client_con->pipe(Stdio.PROP_NONBLOCK | Stdio.PROP_BIDIRECTIONAL);
- SSL.sslfile server = SSL.sslfile(server_con, server_ctx, UNDEFINED,
- 0, server_min, server_max);
+ server_ctx->min_version = server_min;
+ server_ctx->max_version = server_max;
+
+ SSL.sslfile server = SSL.sslfile(server_con, server_ctx, UNDEFINED, 0);
// We only have self-signed certificates, so all ECDH_RSA and
// DH_RSA suites will fail prior to TLS 1.2, since they require
@@ -407,8 +409,9 @@ test_do([[
SSL.context client_ctx = SSL.context();
client_ctx->random = random_string;
client_ctx->preferred_suites = suites;
- SSL.sslfile client = SSL.sslfile(client_con, client_ctx, 1, 0,
- client_min, client_max);
+ client_ctx->min_version = client_min;
+ client_ctx->max_version = client_max;
+ SSL.sslfile client = SSL.sslfile(client_con, client_ctx, 1, 0);
int state;