1 files changed, 66 insertions, 15 deletions
diff --git a/plugins/sslutils.c b/plugins/sslutils.c
index c9882c6..4f9c793 100644
--- a/plugins/sslutils.c
+++ b/plugins/sslutils.c
@@ -49,28 +49,78 @@ int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int versi
 int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert, char *privkey) {
        SSL_METHOD *method = NULL;
+        long options = 0;
        switch (version) {
-        case 0: /* Deafult to auto negotiation */
+        case MP_SSLv2: /* SSLv2 protocol */
-                method = SSLv23_client_method();
-                break;
-        case 1: /* TLSv1 protocol */
-                method = TLSv1_client_method();
-                break;
-        case 2: /* SSLv2 protocol */
 #if defined(USE_GNUTLS) || defined(OPENSSL_NO_SSL2)
-                printf(("%s\n", _("CRITICAL - SSL protocol version 2 is not supported by your SSL library.")));
+                printf("%s\n", _("UNKNOWN - SSL protocol version 2 is not supported by your SSL library."));
-                return STATE_CRITICAL;
+                return STATE_UNKNOWN;
 #else
                method = SSLv2_client_method();
-#endif
                break;
-        case 3: /* SSLv3 protocol */
+#endif
+        case MP_SSLv3: /* SSLv3 protocol */
+#if defined(OPENSSL_NO_SSL3)
+                printf("%s\n", _("UNKNOWN - SSL protocol version 3 is not supported by your SSL library."));
+                return STATE_UNKNOWN;
+#else
                method = SSLv3_client_method();
                break;
-        default: /* Unsupported */
+#endif
-                printf("%s\n", _("CRITICAL - Unsupported SSL protocol version."));
+        case MP_TLSv1: /* TLSv1 protocol */
-                return STATE_CRITICAL;
+#if defined(OPENSSL_NO_TLS1)
+                printf("%s\n", _("UNKNOWN - TLS protocol version 1 is not supported by your SSL library."));
+                return STATE_UNKNOWN;
+#else
+                method = TLSv1_client_method();
+                break;
+#endif
+        case MP_TLSv1_1: /* TLSv1.1 protocol */
+#if !defined(SSL_OP_NO_TLSv1_1)
+                printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library."));
+                return STATE_UNKNOWN;
+#else
+                method = TLSv1_1_client_method();
+                break;
+#endif
+        case MP_TLSv1_2: /* TLSv1.2 protocol */
+#if !defined(SSL_OP_NO_TLSv1_2)
+                printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library."));
+                return STATE_UNKNOWN;
+#else
+                method = TLSv1_2_client_method();
+                break;
+#endif
+        case MP_TLSv1_2_OR_NEWER:
+#if !defined(SSL_OP_NO_TLSv1_1)
+                printf("%s\n", _("UNKNOWN - Disabling TLSv1.1 is not supported by your SSL library."));
+                return STATE_UNKNOWN;
+#else
+                options |= SSL_OP_NO_TLSv1_1;
+#endif
+                /* FALLTHROUGH */
+        case MP_TLSv1_1_OR_NEWER:
+#if !defined(SSL_OP_NO_TLSv1)
+                printf("%s\n", _("UNKNOWN - Disabling TLSv1 is not supported by your SSL library."));
+                return STATE_UNKNOWN;
+#else
+                options |= SSL_OP_NO_TLSv1;
+#endif
+                /* FALLTHROUGH */
+        case MP_TLSv1_OR_NEWER:
+#if defined(SSL_OP_NO_SSLv3)
+                options |= SSL_OP_NO_SSLv3;
+#endif
+                /* FALLTHROUGH */
+        case MP_SSLv3_OR_NEWER:
+#if defined(SSL_OP_NO_SSLv2)
+                options |= SSL_OP_NO_SSLv2;
+#endif
+        case MP_SSLv2_OR_NEWER:
+                /* FALLTHROUGH */
+        default: /* Default to auto negotiation */
+                method = SSLv23_client_method();
        }
        if (!initialized) {
                /* Initialize SSL context */
@@ -94,8 +144,9 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
 #endif
        }
 #ifdef SSL_OP_NO_TICKET
-        SSL_CTX_set_options(c, SSL_OP_NO_TICKET);
+        options |= SSL_OP_NO_TICKET;
 #endif
+        SSL_CTX_set_options(c, options);
        SSL_CTX_set_mode(c, SSL_MODE_AUTO_RETRY);
        if ((s = SSL_new(c)) != NULL) {
 #ifdef SSL_set_tlsext_host_name

diff --git a/plugins/sslutils.c b/plugins/sslutils.c index c9882c6..4f9c793 100644 --- a/plugins/sslutils.c +++ b/plugins/sslutils.c
@@ -49,28 +49,78 @@ int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int versi
49		49
50	int np_net_ssl_init_with_hostname_version_and_cert(int sd, char host_name, int version, char cert, char *privkey) {	50	int np_net_ssl_init_with_hostname_version_and_cert(int sd, char host_name, int version, char cert, char *privkey) {
51	SSL_METHOD *method = NULL;	51	SSL_METHOD *method = NULL;
		52	long options = 0;
52		53
53	switch (version) {	54	switch (version) {
54	case 0: /* Deafult to auto negotiation */	55	case MP_SSLv2: /* SSLv2 protocol */
55	method = SSLv23_client_method();
56	break;
57	case 1: /* TLSv1 protocol */
58	method = TLSv1_client_method();
59	break;
60	case 2: /* SSLv2 protocol */
61	#if defined(USE_GNUTLS) \|\| defined(OPENSSL_NO_SSL2)	56	#if defined(USE_GNUTLS) \|\| defined(OPENSSL_NO_SSL2)
62	printf(("%s\n", _("CRITICAL - SSL protocol version 2 is not supported by your SSL library.")));	57	printf("%s\n", _("UNKNOWN - SSL protocol version 2 is not supported by your SSL library."));
63	return STATE_CRITICAL;	58	return STATE_UNKNOWN;
64	#else	59	#else
65	method = SSLv2_client_method();	60	method = SSLv2_client_method();
66	#endif
67	break;	61	break;
68	case 3: /* SSLv3 protocol */	62	#endif
		63	case MP_SSLv3: /* SSLv3 protocol */
		64	#if defined(OPENSSL_NO_SSL3)
		65	printf("%s\n", _("UNKNOWN - SSL protocol version 3 is not supported by your SSL library."));
		66	return STATE_UNKNOWN;
		67	#else
69	method = SSLv3_client_method();	68	method = SSLv3_client_method();
70	break;	69	break;
71	default: /* Unsupported */	70	#endif
72	printf("%s\n", _("CRITICAL - Unsupported SSL protocol version."));	71	case MP_TLSv1: /* TLSv1 protocol */
73	return STATE_CRITICAL;	72	#if defined(OPENSSL_NO_TLS1)
		73	printf("%s\n", _("UNKNOWN - TLS protocol version 1 is not supported by your SSL library."));
		74	return STATE_UNKNOWN;
		75	#else
		76	method = TLSv1_client_method();
		77	break;
		78	#endif
		79	case MP_TLSv1_1: /* TLSv1.1 protocol */
		80	#if !defined(SSL_OP_NO_TLSv1_1)
		81	printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library."));
		82	return STATE_UNKNOWN;
		83	#else
		84	method = TLSv1_1_client_method();
		85	break;
		86	#endif
		87	case MP_TLSv1_2: /* TLSv1.2 protocol */
		88	#if !defined(SSL_OP_NO_TLSv1_2)
		89	printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library."));
		90	return STATE_UNKNOWN;
		91	#else
		92	method = TLSv1_2_client_method();
		93	break;
		94	#endif
		95	case MP_TLSv1_2_OR_NEWER:
		96	#if !defined(SSL_OP_NO_TLSv1_1)
		97	printf("%s\n", _("UNKNOWN - Disabling TLSv1.1 is not supported by your SSL library."));
		98	return STATE_UNKNOWN;
		99	#else
		100	options \|= SSL_OP_NO_TLSv1_1;
		101	#endif
		102	/* FALLTHROUGH */
		103	case MP_TLSv1_1_OR_NEWER:
		104	#if !defined(SSL_OP_NO_TLSv1)
		105	printf("%s\n", _("UNKNOWN - Disabling TLSv1 is not supported by your SSL library."));
		106	return STATE_UNKNOWN;
		107	#else
		108	options \|= SSL_OP_NO_TLSv1;
		109	#endif
		110	/* FALLTHROUGH */
		111	case MP_TLSv1_OR_NEWER:
		112	#if defined(SSL_OP_NO_SSLv3)
		113	options \|= SSL_OP_NO_SSLv3;
		114	#endif
		115	/* FALLTHROUGH */
		116	case MP_SSLv3_OR_NEWER:
		117	#if defined(SSL_OP_NO_SSLv2)
		118	options \|= SSL_OP_NO_SSLv2;
		119	#endif
		120	case MP_SSLv2_OR_NEWER:
		121	/* FALLTHROUGH */
		122	default: /* Default to auto negotiation */
		123	method = SSLv23_client_method();
74	}	124	}
75	if (!initialized) {	125	if (!initialized) {
76	/* Initialize SSL context */	126	/* Initialize SSL context */
@@ -94,8 +144,9 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
94	#endif	144	#endif
95	}	145	}
96	#ifdef SSL_OP_NO_TICKET	146	#ifdef SSL_OP_NO_TICKET
97	SSL_CTX_set_options(c, SSL_OP_NO_TICKET);	147	options \|= SSL_OP_NO_TICKET;
98	#endif	148	#endif
		149	SSL_CTX_set_options(c, options);
99	SSL_CTX_set_mode(c, SSL_MODE_AUTO_RETRY);	150	SSL_CTX_set_mode(c, SSL_MODE_AUTO_RETRY);
100	if ((s = SSL_new(c)) != NULL) {	151	if ((s = SSL_new(c)) != NULL) {
101	#ifdef SSL_set_tlsext_host_name	152	#ifdef SSL_set_tlsext_host_name