From 6cb15b908a64b69b715fa8b2d60c71c6d9d3f9fc Mon Sep 17 00:00:00 2001
From: Steffan Karger <steffan.karger@fox-it.com>
Date: Tue, 26 Aug 2014 00:03:23 +0200
Subject: Add --tls-version-max

Because using TLS 1.2 breaks certain setups, a user might want to enforce
a maximum TLS version to use. This patch adds that option.

This patch removes a number of #ifdefs from ssl_polarssl.c, because the
polarssl versions we currently support (polar 1.2 for openvpn 2.3, and
polar 1.3 for openvpn-master) have all versions unconditionally enabled.

Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <544EC052.3080809@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9210
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---
 src/openvpn/ssl_common.h | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'src/openvpn/ssl_common.h')

diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
index 04ba789..2719b41 100644
--- a/src/openvpn/ssl_common.h
+++ b/src/openvpn/ssl_common.h
@@ -296,8 +296,10 @@ struct tls_options
 # define SSLF_AUTH_USER_PASS_OPTIONAL  (1<<2)
 # define SSLF_OPT_VERIFY               (1<<4)
 # define SSLF_CRL_VERIFY_DIR           (1<<5)
-# define SSLF_TLS_VERSION_SHIFT        6
-# define SSLF_TLS_VERSION_MASK         0xF /* (uses bit positions 6 to 9) */
+# define SSLF_TLS_VERSION_MIN_SHIFT    6
+# define SSLF_TLS_VERSION_MIN_MASK     0xF /* (uses bit positions 6 to 9) */
+# define SSLF_TLS_VERSION_MAX_SHIFT    10
+# define SSLF_TLS_VERSION_MAX_MASK     0xF /* (uses bit positions 10 to 13) */
   unsigned int ssl_flags;
 
 #ifdef MANAGEMENT_DEF_AUTH
-- 
cgit