From f9fb3bf6bc141444924bc949ddf76d73c3df3e49 Mon Sep 17 00:00:00 2001
From: Pavel Moravec <pmoravec@apache.org>
Date: Tue, 5 Jan 2016 12:59:09 +0000
Subject: QPID-6966: C++ broker and client to support TLS1.1 and TLS1.2 by
 default

git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1723066 13f79535-47bb-0310-9956-ffa450edef68
---
 qpid/cpp/src/qpid/sys/ssl/util.cpp | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

(limited to 'qpid/cpp/src')

diff --git a/qpid/cpp/src/qpid/sys/ssl/util.cpp b/qpid/cpp/src/qpid/sys/ssl/util.cpp
index 9f5493cbbf..e527606fde 100644
--- a/qpid/cpp/src/qpid/sys/ssl/util.cpp
+++ b/qpid/cpp/src/qpid/sys/ssl/util.cpp
@@ -110,12 +110,17 @@ void initNSS(const SslOptions& options, bool server)
 
     // disable SSLv2 and SSLv3 versions of the protocol - they are
     // no longer considered secure
-    SSLVersionRange vrange;
+    SSLVersionRange drange, srange; // default and supported ranges
     const uint16_t tlsv1 = 0x0301;  // Protocol version for TLSv1.0
-    NSS_CHECK(SSL_VersionRangeGetDefault(ssl_variant_stream, &vrange));
-    if (vrange.min < tlsv1) {
-        vrange.min = tlsv1;
-        NSS_CHECK(SSL_VersionRangeSetDefault(ssl_variant_stream, &vrange));
+    NSS_CHECK(SSL_VersionRangeGetDefault(ssl_variant_stream, &drange));
+    NSS_CHECK(SSL_VersionRangeGetSupported(ssl_variant_stream, &srange));
+    if (drange.min < tlsv1) {
+        drange.min = tlsv1;
+        NSS_CHECK(SSL_VersionRangeSetDefault(ssl_variant_stream, &drange));
+    }
+    if (srange.max > drange.max) {
+        drange.max = srange.max;
+        NSS_CHECK(SSL_VersionRangeSetDefault(ssl_variant_stream, &drange));
     }
 }
 
-- 
cgit v1.2.1