From a77adb886ef7ed2efa8441dcd823d5f7e3f97183 Mon Sep 17 00:00:00 2001
From: manuel <manuel@mausz.at>
Date: Wed, 22 Jan 2025 14:12:55 +0100
Subject: Do not enable legacy TLS version any longer

---
 qmail-remote.c | 1 -
 qmail-smtpd.c  | 2 --
 2 files changed, 3 deletions(-)

diff --git a/qmail-remote.c b/qmail-remote.c
index a743e06..14114cf 100644
--- a/qmail-remote.c
+++ b/qmail-remote.c
@@ -487,7 +487,6 @@ static int tls_init(struct ip_mx *current_mx)
     smtptext.len = 0;
     tls_quit_error("ZTLS error initializing ctx");
   }
-  SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
   /* TLS renegotiation is possible cpu resource attack */
   SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION);
   /* SMTP does not suffer from truncation attacks due to its application framing */
diff --git a/qmail-smtpd.c b/qmail-smtpd.c
index 1c26031..de125b8 100644
--- a/qmail-smtpd.c
+++ b/qmail-smtpd.c
@@ -1370,8 +1370,6 @@ void tls_init()
   /* a new SSL context with the bare minimum of options */
   ctx = SSL_CTX_new(TLS_server_method());
   if (!ctx) { tls_err("unable to initialize ctx"); return; }
-  SSL_CTX_set_min_proto_version(ctx, (*childargs) ? TLS1_2_VERSION : TLS1_VERSION);
-  if (!*childargs) SSL_CTX_set_security_level(ctx, 0);
   SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE |
                            SSL_OP_PRIORITIZE_CHACHA);
   /* TLS renegotiation is possible cpu resource attack */
-- 
cgit v1.2.3