mirror of
https://github.com/SoftEtherVPN/SoftEtherVPN.git
synced 2024-12-26 01:59:53 +03:00
Manage OpenSSL security level
Add SslAcceptSettings option Override_Security_Level and Override_Security_Level_Value to allow user to choose.
This commit is contained in:
parent
190672bd84
commit
7fdacec2a6
@ -5931,6 +5931,8 @@ void SiLoadServerCfg(SERVER *s, FOLDER *f)
|
||||
c->SslAcceptSettings.Tls_Disable1_1 = CfgGetBool(f, "Tls_Disable1_1");
|
||||
c->SslAcceptSettings.Tls_Disable1_2 = CfgGetBool(f, "Tls_Disable1_2");
|
||||
c->SslAcceptSettings.Tls_Disable1_3 = CfgGetBool(f, "Tls_Disable1_3");
|
||||
c->SslAcceptSettings.Override_Security_Level = CfgGetBool(f, "Override_Security_Level");
|
||||
c->SslAcceptSettings.Override_Security_Level_Value = CfgGetInt(f, "Override_Security_Level_Value");
|
||||
|
||||
s->StrictSyslogDatetimeFormat = CfgGetBool(f, "StrictSyslogDatetimeFormat");
|
||||
|
||||
@ -6256,6 +6258,8 @@ void SiWriteServerCfg(FOLDER *f, SERVER *s)
|
||||
CfgAddBool(f, "Tls_Disable1_1", c->SslAcceptSettings.Tls_Disable1_1);
|
||||
CfgAddBool(f, "Tls_Disable1_2", c->SslAcceptSettings.Tls_Disable1_2);
|
||||
CfgAddBool(f, "Tls_Disable1_3", c->SslAcceptSettings.Tls_Disable1_3);
|
||||
CfgAddBool(f, "Override_Security_Level", c->SslAcceptSettings.Override_Security_Level);
|
||||
CfgAddInt(f, "Override_Security_Level_Value", c->SslAcceptSettings.Override_Security_Level_Value);
|
||||
CfgAddInt(f, "DhParamBits", c->DhParamBits);
|
||||
|
||||
// Disable session reconnect
|
||||
|
@ -5747,6 +5747,16 @@ SSL_PIPE *NewSslPipeEx(bool server_mode, X *x, K *k, DH_CTX *dh, bool verify_pee
|
||||
{
|
||||
SSL_CTX_set_tmp_dh(ssl_ctx, dh->dh);
|
||||
}
|
||||
|
||||
#if 0
|
||||
// Cannot get config
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
|
||||
if (sock->SslAcceptSettings.Override_Security_Level)
|
||||
{
|
||||
SSL_CTX_set_security_level(ssl_ctx, sock->SslAcceptSettings.Override_Security_Level_Value);
|
||||
}
|
||||
#endif
|
||||
#endif
|
||||
}
|
||||
|
||||
if (verify_peer)
|
||||
@ -12138,6 +12148,13 @@ bool StartSSLEx(SOCK *sock, X *x, K *priv, UINT ssl_timeout, char *sni_hostname)
|
||||
}
|
||||
#endif // SSL_OP_NO_TLSv1_3
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
|
||||
if (sock->SslAcceptSettings.Override_Security_Level)
|
||||
{
|
||||
SSL_CTX_set_security_level(ssl_ctx, sock->SslAcceptSettings.Override_Security_Level_Value);
|
||||
}
|
||||
#endif
|
||||
|
||||
Unlock(openssl_lock);
|
||||
AddChainSslCertOnDirectory(ssl_ctx);
|
||||
Lock(openssl_lock);
|
||||
|
@ -148,6 +148,8 @@ struct SSL_ACCEPT_SETTINGS
|
||||
bool Tls_Disable1_1;
|
||||
bool Tls_Disable1_2;
|
||||
bool Tls_Disable1_3;
|
||||
bool Override_Security_Level;
|
||||
UINT Override_Security_Level_Value;
|
||||
};
|
||||
|
||||
// Socket
|
||||
|
Loading…
Reference in New Issue
Block a user