# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1397515507 -7200
# Node ID 30ac122acdd391e9f52f6feb9a3cd1b47346685f
# Parent  6999d4415a58e6638f3d33e8d8cc1efe6c1d81ba
certmanager: Support ssl.protocol syntax like "tlsv1+" that disables older protocols

diff -r 6999d4415a58 -r 30ac122acdd3 core/certmanager.lua
--- a/core/certmanager.lua	Tue Apr 15 00:32:11 2014 +0200
+++ b/core/certmanager.lua	Tue Apr 15 00:45:07 2014 +0200
@@ -36,9 +36,9 @@
 
 local core_defaults = {
 	capath = "/etc/ssl/certs";
-	protocol = "sslv23";
+	protocol = "tlsv1+";
 	verify = (ssl and ssl.x509 and { "peer", "client_once", }) or "none";
-	options = { "no_sslv2", "no_sslv3", "cipher_server_preference", luasec_has_noticket and "no_ticket" or nil };
+	options = { "cipher_server_preference", luasec_has_noticket and "no_ticket" or nil };
 	verifyext = { "lsec_continue", "lsec_ignore_purpose" };
 	curve = "secp384r1";
 	ciphers = "HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL";
@@ -77,6 +77,9 @@
 	return o;
 end
 
+local protocols = { "sslv2", "sslv3", "tlsv1", "tlsv1_1", "tlsv1_2" };
+for i = 1, #protocols do protocols[protocols[i] .. "+"] = i - 1; end
+
 function create_context(host, mode, user_ssl_config)
 	user_ssl_config = user_ssl_config or {}
 	user_ssl_config.mode = mode;
@@ -97,6 +100,14 @@
 		end
 	end
 
+	local min_protocol = protocols[user_ssl_config.protocol];
+	if min_protocol then
+		user_ssl_config.protocol = "sslv23";
+		for i = min_protocol, 1, -1 do
+			user_ssl_config.options["no_"..protocols[i]] = true;
+		end
+	end
+
 	for option in pairs(set_options) do
 		local merged = {};
 		merge_set(core_defaults[option], merged);