Merge pull request #2625 from libgit2/cmn/ssl-tls

ssl: dump the SSL ciphers in favour of TLS
2025-11-04 10:33:00 +00:00 · 2014-10-23 08:27:13 -07:00 · 2014-10-23 08:27:13 -07:00 · d676af43da
commit d676af43da
parent 943fde7f8c f0f9737094
1 changed files with 13 additions and 0 deletions
--- a/src/global.c
+++ b/src/global.c
@ -71,7 +71,20 @@ static void init_ssl(void)
 #ifdef GIT_SSL
 	SSL_load_error_strings();
 	OpenSSL_add_ssl_algorithms();
+	/*
+	 * Load SSLv{2,3} and TLSv1 so that we can talk with servers
+	 * which use the SSL hellos, which are often used for
+	 * compatibility. We then disable SSL so we only allow OpenSSL
+	 * to speak TLSv1 to perform the encryption itself.
+	 */
 	git__ssl_ctx = SSL_CTX_new(SSLv23_method());
+	SSL_CTX_set_options(git__ssl_ctx,
+			    SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3
+	/* Older OpenSSL and MacOS OpenSSL doesn't have this */
+# ifdef SSL_OP_NO_COMPRESSION
+			    | SSL_OP_NO_COMPRESSION
+# endif
+		);
 	SSL_CTX_set_mode(git__ssl_ctx, SSL_MODE_AUTO_RETRY);
 	SSL_CTX_set_verify(git__ssl_ctx, SSL_VERIFY_NONE, NULL);
 	if (!SSL_CTX_set_default_verify_paths(git__ssl_ctx)) {