ITS#8904 - Ensure SSLv3 is enabled when necessary

Either at compilation time, or as a system-wide configuration, OpenSSL may have disabled SSLv3 protocol by default. This change ensures the protocol NO flag is cleared when necessary, hence allowing for the protocol to be used.

ITS#8904 - Ensure SSLv3 is enabled when necessary
Either at compilation time, or as a system-wide configuration, OpenSSL may have disabled SSLv3 protocol by default. This change ensures the protocol NO flag is cleared when necessary, hence allowing for the protocol to be used.
1cb4d2f0 · Matus Honek · Quanah Gibson-Mount · 00313d61 · 1cb4d2f0
Commit 1cb4d2f0 authored Feb 25, 2021 by Matus Honek Committed by Quanah Gibson-Mount Feb 26, 2021
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -317,8 +317,10 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
 #endif
 	if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_SSL3 )
 		SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 );
-	else if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_SSL2 )
+	else if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_SSL2 ) {
 		SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 );
+		SSL_CTX_clear_options( ctx, SSL_OP_NO_SSLv3 );
+	}

 	if ( lo->ldo_tls_ciphersuite &&
 		!SSL_CTX_set_cipher_list( ctx, lt->lt_ciphersuite ) )