tls: Support a maximum TLS version to negotiate using TLS socket abstraction

6 files changed, 9 insertions, 7 deletions

diff --git a/scripts/tls_test.c b/scripts/tls_test.c
index 3d47f6f7a..84a32f96f 100644
--- a/scripts/tls_test.c
+++ b/scripts/tls_test.c
@@ -105,7 +105,7 @@ static int run_client(host_t *host, identification_t *server,
 			close(fd);
 			return 1;
 		}
-		tls = tls_socket_create(FALSE, server, client, fd, cache, TRUE);
+		tls = tls_socket_create(FALSE, server, client, fd, cache, TLS_1_2, TRUE);
 		if (!tls)
 		{
 			close(fd);
@@ -162,7 +162,7 @@ static int serve(host_t *host, identification_t *server,
 		}
 		DBG1(DBG_TLS, "%#H connected", host);
 
-		tls = tls_socket_create(TRUE, server, NULL, cfd, cache, TRUE);
+		tls = tls_socket_create(TRUE, server, NULL, cfd, cache, TLS_1_2, TRUE);
 		if (!tls)
 		{
 			close(fd);
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
index af1b28adf..a652e7067 100644
--- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
@@ -877,7 +877,7 @@ static bool soap_init(private_tnc_ifmap_soap_t *this)
 
 	/* open TLS socket */
 	this->tls = tls_socket_create(FALSE, server_id, client_id, this->fd,
-								  NULL, FALSE);
+								  NULL, TLS_1_2, FALSE);
 	if (!this->tls)
 	{
 		DBG1(DBG_TNC, "creating TLS socket failed");
diff --git a/src/libpttls/pt_tls_client.c b/src/libpttls/pt_tls_client.c
index 98a2f4b47..315129d7e 100644
--- a/src/libpttls/pt_tls_client.c
+++ b/src/libpttls/pt_tls_client.c
@@ -85,7 +85,7 @@ static bool make_connection(private_pt_tls_client_t *this)
 	}
 
 	this->tls = tls_socket_create(FALSE, this->server, this->client, fd,
-								  NULL, FALSE);
+								  NULL, TLS_1_2, FALSE);
 	if (!this->tls)
 	{
 		close(fd);
diff --git a/src/libpttls/pt_tls_server.c b/src/libpttls/pt_tls_server.c
index 3c07475d9..cedc2632c 100644
--- a/src/libpttls/pt_tls_server.c
+++ b/src/libpttls/pt_tls_server.c
@@ -532,7 +532,7 @@ pt_tls_server_t *pt_tls_server_create(identification_t *server, int fd,
 			.destroy = _destroy,
 		},
 		.state = PT_TLS_SERVER_VERSION,
-		.tls = tls_socket_create(TRUE, server, NULL, fd, NULL, FALSE),
+		.tls = tls_socket_create(TRUE, server, NULL, fd, NULL, TLS_1_2, FALSE),
 		.tnccs = (tls_t*)tnccs,
 		.auth = auth,
 	);
diff --git a/src/libtls/tls_socket.c b/src/libtls/tls_socket.c
index 4b18fa60e..648771e75 100644
--- a/src/libtls/tls_socket.c
+++ b/src/libtls/tls_socket.c
@@ -407,7 +407,7 @@ METHOD(tls_socket_t, destroy, void,
  */
 tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
 							identification_t *peer, int fd, tls_cache_t *cache,
-							bool nullok)
+							tls_version_t max_version, bool nullok)
 {
 	private_tls_socket_t *this;
 	tls_purpose_t purpose;
@@ -448,6 +448,7 @@ tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
 		free(this);
 		return NULL;
 	}
+	this->tls->set_version(this->tls, max_version);
 
 	return &this->public;
 }
diff --git a/src/libtls/tls_socket.h b/src/libtls/tls_socket.h
index 54278dd01..0d4db3b41 100644
--- a/src/libtls/tls_socket.h
+++ b/src/libtls/tls_socket.h
@@ -104,11 +104,12 @@ struct tls_socket_t {
  * @param peer				client identity, NULL for no client authentication
  * @param fd				socket to read/write from
  * @param cache				session cache to use, or NULL
+ * @param max_version		maximun TLS version to negotiate
  * @param nullok			accept NULL encryption ciphers
  * @return					TLS socket wrapper
  */
 tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
 							identification_t *peer, int fd, tls_cache_t *cache,
-							bool nullok);
+							tls_version_t max_version, bool nullok);
 
 #endif /** TLS_SOCKET_H_ @}*/