Disable TLS v1.0 by default. Added new --enable-tlsv10 option to force enable (only works if --enable-oldtls is set, which is on by default).

2026-01-27 07:42:19 +01:00 · 2017-11-14 13:55:48 -08:00
parent fd4b3b40ac
commit d5cc3ca198
9 changed files with 95 additions and 60 deletions
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -3637,9 +3637,11 @@ int wolfSSL_SetVersion(WOLFSSL* ssl, int version)

 #ifndef NO_TLS
    #ifndef NO_OLD_TLS
+        #ifdef WOLFSSL_ALLOW_TLSV10
        case WOLFSSL_TLSV1:
            ssl->version = MakeTLSv1();
            break;
+        #endif

        case WOLFSSL_TLSV1_1:
            ssl->version = MakeTLSv1_1();
--- a/src/tls.c
+++ b/src/tls.c
@@ -428,6 +428,7 @@ int BuildTlsFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender)

 #ifndef NO_OLD_TLS

+#ifdef WOLFSSL_ALLOW_TLSV10
 ProtocolVersion MakeTLSv1(void)
 {
    ProtocolVersion pv;
@@ -436,6 +437,7 @@ ProtocolVersion MakeTLSv1(void)

    return pv;
 }
+#endif /* WOLFSSL_ALLOW_TLSV10 */


 ProtocolVersion MakeTLSv1_1(void)
@@ -447,7 +449,7 @@ ProtocolVersion MakeTLSv1_1(void)
    return pv;
 }

-#endif
+#endif /* !NO_OLD_TLS */


 ProtocolVersion MakeTLSv1_2(void)
@@ -8622,18 +8624,12 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
 #ifndef NO_WOLFSSL_CLIENT

 #ifndef NO_OLD_TLS
-
+    #ifdef WOLFSSL_ALLOW_TLSV10
    WOLFSSL_METHOD* wolfTLSv1_client_method(void)
    {
        return wolfTLSv1_client_method_ex(NULL);
    }

-
-    WOLFSSL_METHOD* wolfTLSv1_1_client_method(void)
-    {
-        return wolfTLSv1_1_client_method_ex(NULL);
-    }
-
    WOLFSSL_METHOD* wolfTLSv1_client_method_ex(void* heap)
    {
        WOLFSSL_METHOD* method =
@@ -8643,7 +8639,12 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
            InitSSL_Method(method, MakeTLSv1());
        return method;
    }
+    #endif /* WOLFSSL_ALLOW_TLSV10 */

+    WOLFSSL_METHOD* wolfTLSv1_1_client_method(void)
+    {
+        return wolfTLSv1_1_client_method_ex(NULL);
+    }

    WOLFSSL_METHOD* wolfTLSv1_1_client_method_ex(void* heap)
    {
@@ -8740,18 +8741,12 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
 #ifndef NO_WOLFSSL_SERVER

 #ifndef NO_OLD_TLS
-
+    #ifdef WOLFSSL_ALLOW_TLSV10
    WOLFSSL_METHOD* wolfTLSv1_server_method(void)
    {
        return wolfTLSv1_server_method_ex(NULL);
    }

-
-    WOLFSSL_METHOD* wolfTLSv1_1_server_method(void)
-    {
-        return wolfTLSv1_1_server_method_ex(NULL);
-    }
-
    WOLFSSL_METHOD* wolfTLSv1_server_method_ex(void* heap)
    {
        WOLFSSL_METHOD* method =
@@ -8763,7 +8758,12 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
        }
        return method;
    }
+    #endif /* WOLFSSL_ALLOW_TLSV10 */

+    WOLFSSL_METHOD* wolfTLSv1_1_server_method(void)
+    {
+        return wolfTLSv1_1_server_method_ex(NULL);
+    }

    WOLFSSL_METHOD* wolfTLSv1_1_server_method_ex(void* heap)
    {