New option ssl_min_version for OpenSSL 1.1

doc-jp/README.SSL

@@ -27,6 +27,9 @@ SSL サポートについて
         使わないSSLメソッドのリスト(2: SSLv2, 3: SSLv3, t: TLSv1.0,
         5: TLSv1.1, 6: TLSv1.2, 7: TLSv1.3)
         (デフォルトは2, 3).
+    ssl_min_version
+        最小のSSLバージョン, OpenSSL 1.1以上で有効(TLSv1.0, TLSv1.1,
+        TLSv1.2, TLSv1.3のいずれか) (デフォルトは<NULL>).
     ssl_ciphers
         TLSv1.2以下用のSSL暗号(例: DEFAULT:@SECLEVEL=2) (デフォルトは
         OpenSSL 1.1以上なら<NULL>、それ以外なら"DEFAULT:!LOW:!RC4:!EXP").

fm.h

@@ -1191,6 +1191,9 @@ global int ssl_path_modified init(FALSE);
 				 * defined(USE_SSL_VERIFY) */
 #ifdef USE_SSL
 global char *ssl_forbid_method init("2, 3");
+#ifdef SSL_CTX_set_min_proto_version
+global char *ssl_min_version init(NULL);
+#endif
 #if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
 global char *ssl_cipher init("DEFAULT:!LOW:!RC4:!EXP");
 #else

rc.c

@@ -205,6 +205,9 @@ static int OptionEncode = FALSE;
 #define CMT_SSL_CA_FILE N_("File consisting of PEM encoded certificates of CAs")
 #endif				/* USE_SSL_VERIFY */
 #define CMT_SSL_FORBID_METHOD N_("List of forbidden SSL methods (2: SSLv2, 3: SSLv3, t: TLSv1.0, 5: TLSv1.1, 6: TLSv1.2, 7: TLSv1.3)")
+#ifdef SSL_CTX_set_min_proto_version
+#define CMT_SSL_MIN_VERSION N_("Minimum SSL version (TLSv1.0, TLSv1.1, TLSv1.2, or TLSv1.3)")
+#endif
 #define CMT_SSL_CIPHER N_("SSL ciphers for TLSv1.2 and below (e.g. DEFAULT:@SECLEVEL=2)")
 #endif				/* USE_SSL */
 #ifdef USE_COOKIE
@@ -613,6 +616,10 @@ struct param_ptr params6[] = {
 struct param_ptr params7[] = {
     {"ssl_forbid_method", P_STRING, PI_TEXT, (void *)&ssl_forbid_method,
      CMT_SSL_FORBID_METHOD, NULL},
+#ifdef SSL_CTX_set_min_proto_version
+    {"ssl_min_version", P_STRING, PI_TEXT, (void *)&ssl_min_version,
+     CMT_SSL_MIN_VERSION, NULL},
+#endif
     {"ssl_cipher", P_STRING, PI_TEXT, (void *)&ssl_cipher, CMT_SSL_CIPHER,
      NULL},
 #ifdef USE_SSL_VERIFY

url.c

@@ -293,6 +293,38 @@ init_PRNG()
 }
 #endif				/* SSLEAY_VERSION_NUMBER >= 0x00905100 */
 
+#ifdef SSL_CTX_set_min_proto_version
+static int
+str_to_ssl_version(const char *name)
+{
+#ifdef TLS1_3_VERSION
+    if (!strcasecmp(name, "TLSv1.3"))
+	return TLS1_3_VERSION;
+#endif
+#ifdef TLS1_2_VERSION
+    if (!strcasecmp(name, "TLSv1.2"))
+	return TLS1_2_VERSION;
+#endif
+#ifdef TLS1_1_VERSION
+    if (!strcasecmp(name, "TLSv1.1"))
+	return TLS1_1_VERSION;
+#endif
+    if (!strcasecmp(name, "TLSv1.0"))
+	return TLS1_VERSION;
+    if (!strcasecmp(name, "TLSv1"))
+	return TLS1_VERSION;
+    if (!strcasecmp(name, "SSLv3.0"))
+	return SSL3_VERSION;
+    if (!strcasecmp(name, "SSLv3"))
+	return SSL3_VERSION;
+    if (!strcasecmp(name, "SSLv2.0"))
+	return SSL2_VERSION;
+    if (!strcasecmp(name, "SSLv2"))
+	return SSL2_VERSION;
+    return 0;
+}
+#endif				/* SSL_CTX_set_min_proto_version */
+
 static SSL *
 openSSLHandle(int sock, char *hostname, char **p_cert)
 {
@@ -336,6 +368,17 @@ openSSLHandle(int sock, char *hostname, char **p_cert)
 #endif
 	if (!(ssl_ctx = SSL_CTX_new(SSLv23_client_method())))
 	    goto eend;
+#ifdef SSL_CTX_set_min_proto_version
+	if (ssl_min_version && *ssl_min_version != '\0') {
+	    int sslver;
+	    sslver = str_to_ssl_version(ssl_min_version);
+	    if (sslver <= 0
+		|| !SSL_CTX_set_min_proto_version(ssl_ctx, sslver)) {
+		free_ssl_ctx();
+		goto eend;
+	    }
+	}
+#endif
 	if (ssl_cipher && *ssl_cipher != '\0')
 	    if (!SSL_CTX_set_cipher_list(ssl_ctx, ssl_cipher)) {
 		free_ssl_ctx();