libtls: Increase default min version to 1.2

The older versions are generally considered deprecated (there is an Internet-Draft that aims to do that formally).
2021-01-27 14:40:22 +01:00 · 2021-01-27 14:40:22 +01:00 · a60e248b0d
parent 3abcbf82b5
commit a60e248b0d
2 changed files with 3 additions and 3 deletions
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@ -479,7 +479,7 @@ charon.tls.send_certreq_authorities = yes
 	Whether to include CAs in a server's CertificateRequest message. May be
 	disabled if clients can't handle a long list of CAs.

-charon.tls.version_min = 1.0
+charon.tls.version_min = 1.2
 	Minimum TLS version to negotiate.

 charon.tls.version_max = 1.2
--- a/src/libtls/tls.c
+++ b/src/libtls/tls.c
@ -463,8 +463,8 @@ static void determine_versions(private_tls_t *this)
 	char *version_str;

 	if (this->version_min == TLS_UNSPEC)
-	{
-		this->version_min = TLS_SUPPORTED_MIN;
+	{	/* default to TLS 1.2 as older versions are considered deprecated */
+		this->version_min = TLS_1_2;

 		version_str = lib->settings->get_str(lib->settings, "%s.tls.version_min",
 											 NULL, lib->ns);