Set the TLS security level early and on context #685
Merged
Commits on May 4, 2020
-
Set the TLS security level early and on context
The existing code does work for cipher negotiation with old (FortiOS 4?) FortiGate appliances, but not for personal certificates (SHA-1 certificates). Two reasons I can see: * SSL_set_cipher_list() was called after messing with certificates. * SSL_set_cipher_list() applies only to the SSL connection, not to certificates, call SSL_CTX_set_cipher_list() on context instead. This change addresses both of the above issues. See SSL(7) man page: https://www.openssl.org/docs/man1.1.1/man7/ssl.html#DATA-STRUCTURES SSL_CTX (SSL Context) This is the global context structure which is created by a server or client once per program life-time and which holds mainly default values for the SSL structures which are later created for the connections. SSL (SSL Connection) This is the main SSL/TLS structure which is created by a server or client per established connection. This actually is the core structure in the SSL API. At run-time the application usually deals with this structure which has links to mostly all other structures.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.