Deprecate -L/--tlsenforce and -T/--no-ssl3.

2026-01-23 02:34:59 +00:00 · 2024-01-30 19:46:15 +01:00 · 2024-01-30 19:46:15 +01:00 · 945f205796
commit 945f205796
parent 33399b3312
4 changed files with 17 additions and 28 deletions
--- a/cmdline.c
+++ b/cmdline.c
@ -69,8 +69,8 @@ void cmdline_parser_print_help (void) {
 "                            setups)\n"
 " -B, --buggy-encrypt-proxy  Equivalent to -E -W, provided for backwards\n"
 "                            compatibility\n"
-" -L, --tlsenforce           Enforce TLSv1 connection (legacy)\n"
-" -T, --no-ssl3              Do not connect using SSLv3 (legacy)\n"
+/*" -L, --tlsenforce           Enforce TLSv1 connection (legacy)\n"
+" -T, --no-ssl3              Do not connect using SSLv3 (legacy)\n"*/
 " -z, --no-check-certificate Don't verify server SSL certificate\n"
 " -C, --cacert=STRING        Path to trusted CA certificate or directory\n"
 #endif
@ -161,7 +161,7 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar
 	args_info->clientkey_given = 0;
 	args_info->wa_bug_29744_given = 0;
 	args_info->proctitle_given = 0;
-	args_info->enforcetls1_given = 0;
+	/* args_info->enforcetls1_given = 0; */
 	args_info->host_given = 0;
 	args_info->cacert_given = 0;

@ -194,9 +194,9 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar
 	args_info->clientcert_arg = NULL; \
 	args_info->clientkey_arg = NULL; \
 	args_info->wa_bug_29744_flag = 0; \
-	args_info->no_ssl3_flag = 0; \
+	/* args_info->no_ssl3_flag = 0; */\
 	args_info->proctitle_arg = NULL; \
-	args_info->enforcetls1_flag = 0; \
+	/* args_info->enforcetls1_flag = 0; */\
 	args_info->host_arg = NULL; \
 	args_info->no_check_cert_flag = 0; \
 	args_info->cacert_arg = NULL; \
@ -350,9 +350,10 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar
 				break;

 			case 'L':
-				args_info->enforcetls1_given = 1;
+				/* args_info->enforcetls1_given = 1;
 				message("Enforcing TLSv1\n");
-				args_info->enforcetls1_flag = 1;
+				args_info->enforcetls1_flag = 1; */
+				message ("Option -L/--tlsenforce is deprecated and without effect\n");
 				break;

 			case 'o':
@ -447,9 +448,10 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar
 				break;

 			case 'T':   /* Turn off SSLv3 */
-				args_info->no_ssl3_flag = !(args_info->no_ssl3_flag);
+				/* args_info->no_ssl3_flag = !(args_info->no_ssl3_flag);
 				if( args_info->verbose_flag )
-					message("SSLv3 disabled\n");
+					message("SSLv3 disabled\n"); */
+				message ("Option -T/--no-ssl3 is deprecated and without effect\n");
 				break;

 			case 'd':	/* Destination host to built the tunnel to.  */
--- a/cmdline.h
+++ b/cmdline.h
@ -53,9 +53,9 @@ struct gengetopt_args_info {
 	char *clientcert_arg;	/* client SSL certificate */
 	char *clientkey_arg;	/* client SSL key */
 	int wa_bug_29744_flag;	/* Use SSL encryption only until CONNECT, if at all (def=off).*/
-	int no_ssl3_flag;		/* Turn off SSLv3 (default=on) */
+	/* int no_ssl3_flag;		 Turn off SSLv3 (default=on) */
 	char *proctitle_arg;	/* Override process title (default=off). */
-	int enforcetls1_flag;    /* Override default and enforce TLSv1 */
+	/* int enforcetls1_flag;     Override default and enforce TLSv1 */
 	char *host_arg;         /* Optional Host Header */
 	int no_check_cert_flag;	/* Turn off server SSL certificate verification (default=on) */
 	int enforceipv4_flag;   /* Enforce IPv4 (default=off). */
@ -90,7 +90,7 @@ struct gengetopt_args_info {
 	int clientkey_given;	/* Whether client SSL key was given */
 	int wa_bug_29744_given;	/* Whether work around was given */
 	int proctitle_given;	/* Whether to override process title */
-	int enforcetls1_given;   /* Wheter to enforce TLSv1 */
+	/* int enforcetls1_given;    Wheter to enforce TLSv1 */
 	int host_given;         /* Wheter we override the Host Header */
 	int cacert_given;		/* Whether cacert was given */
 };
--- a/docs/proxytunnel.1.adoc
+++ b/docs/proxytunnel.1.adoc
@ -61,12 +61,6 @@ also be used for other proxy-traversing purposes like proxy bouncing.
 *-B*, *--buggy-encrypt-proxy*::
    Equivalent to *-E -W* (Provided for backwards compatibility).

-*-L*, *--tlsenforce*::
-    Enforce TLSv1 connection (legacy).
-
-*-T*, *--no-ssl3*::
-    Prevent the use of SSLv3 in encrypted connections (default: enabled).
-
 *-z*, *--no-check-certificate*::
    Do not verify server SSL certificate when establishing an SSL connection.
    By default, the server SSL certificate is verified and the target host name
--- a/ptstream.c
+++ b/ptstream.c
@ -226,7 +226,6 @@ int check_cert_names(X509 *cert, char *peer_host) {
 				if (check_cert_valid_host((char*)ASN1_STRING_get0_data(gn->d.ia5), peer_host)) {
 #else
 				if (check_cert_valid_host((char*)ASN1_STRING_data(gn->d.ia5), peer_host)) {
-
 #endif
 					return 1;
 				}
@ -281,21 +280,15 @@ int stream_enable_ssl(PTSTREAM *pts, const char *proxy_arg) {

 	/* Initialise the connection */
 	SSLeay_add_ssl_algorithms();
-	if (args_info.enforcetls1_flag) {
 #ifdef OPENSSL11
-		meth = TLS_client_method();
+	meth = TLS_client_method();
 #else
-		meth = TLSv1_client_method();
+	meth = SSLv23_client_method();
 #endif
-	} else {
-		meth = SSLv23_client_method();
-	}
 	SSL_load_error_strings();

 	ctx = SSL_CTX_new (meth);
-	if (args_info.no_ssl3_flag) {
-		ssl_options |= SSL_OP_NO_SSLv3;
-	}
+	ssl_options |= SSL_OP_NO_SSLv3;
 	SSL_CTX_set_options (ctx, ssl_options);

 	if ( !args_info.no_check_cert_flag ) {