Add setSSLVersion call to SSL object (#7920)

* Add setSSLVersion call to SSL object Allow users to only allow specific TLS versions for connections with an additional call in their app, similar to the setCiphers call. Fixes #7918 * Add SSL level options to WiFiServerSecure
2025-09-08 06:28:00 +03:00 · 2021-03-15 12:22:06 -07:00
parent dcdd4313cb
commit 7475ba7ff3
6 changed files with 68 additions and 11 deletions
--- a/libraries/ESP8266WiFi/src/WiFiServerSecureBearSSL.cpp
+++ b/libraries/ESP8266WiFi/src/WiFiServerSecureBearSSL.cpp
@@ -79,13 +79,13 @@ WiFiClientSecure WiFiServerSecure::available(uint8_t* status) {
  (void) status; // Unused
  if (_unclaimed) {
    if (_sk && _sk->isRSA()) {
-      WiFiClientSecure result(_unclaimed, _chain, _sk, _iobuf_in_size, _iobuf_out_size, _cache, _client_CA_ta);
+      WiFiClientSecure result(_unclaimed, _chain, _sk, _iobuf_in_size, _iobuf_out_size, _cache, _client_CA_ta, _tls_min, _tls_max);
      _unclaimed = _unclaimed->next();
      result.setNoDelay(_noDelay);
      DEBUGV("WS:av\r\n");
      return result;
    } else if (_sk && _sk->isEC()) {
-      WiFiClientSecure result(_unclaimed, _chain, _cert_issuer_key_type, _sk, _iobuf_in_size, _iobuf_out_size, _cache, _client_CA_ta);
+      WiFiClientSecure result(_unclaimed, _chain, _cert_issuer_key_type, _sk, _iobuf_in_size, _iobuf_out_size, _cache, _client_CA_ta, _tls_min, _tls_max);
      _unclaimed = _unclaimed->next();
      result.setNoDelay(_noDelay);
      DEBUGV("WS:av\r\n");
@@ -101,4 +101,15 @@ WiFiClientSecure WiFiServerSecure::available(uint8_t* status) {
  return WiFiClientSecure();
 }

+bool WiFiServerSecure::setSSLVersion(uint32_t min, uint32_t max) {
+  if ( ((min != BR_TLS10) && (min != BR_TLS11) && (min != BR_TLS12)) ||
+       ((max != BR_TLS10) && (max != BR_TLS11) && (max != BR_TLS12)) ||
+       (max < min) ) {
+    return false; // Invalid options
+  }
+  _tls_min = min;
+  _tls_max = max;
+  return true;
+}
+
 };