From f420d8e5902fbf1d15de51594bf68bb4fc27295d Mon Sep 17 00:00:00 2001
From: deuce <>
Date: Thu, 23 Jan 2020 17:27:47 +0000
Subject: [PATCH] While we're making ssllabs happy, disable TLS 1.0 and 1.1 in
 the web server only (you can still use them from JS etc).

---
 src/sbbs3/websrvr.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/sbbs3/websrvr.c b/src/sbbs3/websrvr.c
index 457b0459e0..dcb98a9df8 100644
--- a/src/sbbs3/websrvr.c
+++ b/src/sbbs3/websrvr.c
@@ -6298,6 +6298,7 @@ void http_session_thread(void* arg)
 		BOOL nodelay=TRUE;
 		setsockopt(session.socket,IPPROTO_TCP,TCP_NODELAY,(char*)&nodelay,sizeof(nodelay));
 
+		HANDLE_CRYPT_CALL(cryptSetAttribute(session.tls_sess, CRYPT_SESSINFO_SSL_OPTIONS, CRYPT_SSLOPTION_MINVER_TLS12), &session, "setting TLS minver to 1.2");
 		HANDLE_CRYPT_CALL(cryptSetAttribute(session.tls_sess, CRYPT_SESSINFO_NETWORKSOCKET, session.socket), &session, "setting network socket");
 		if (!HANDLE_CRYPT_CALL(cryptSetAttribute(session.tls_sess, CRYPT_SESSINFO_ACTIVE, 1), &session, "setting session active")) {
 			unlock_ssl_cert();
-- 
GitLab