From adef139a75b346fdafed9a18f983a5350c5b8166 Mon Sep 17 00:00:00 2001
From: Valentino Geron <valentino@redis.com>
Date: Wed, 12 Jul 2023 09:20:56 +0300
Subject: Remove support in deprecated TLS versions 1.0 and 1.1 (#1205)

---
 ssl.c | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/ssl.c b/ssl.c
index 88bd9f3..21ff359 100644
--- a/ssl.c
+++ b/ssl.c
@@ -59,6 +59,8 @@
 #include "async_private.h"
 #include "hiredis_ssl.h"
 
+#define OPENSSL_1_1_0 0x10100000L
+
 void __redisSetError(redisContext *c, int type, const char *str);
 
 struct redisSSLContext {
@@ -100,7 +102,7 @@ redisContextFuncs redisContextSSLFuncs;
  * Note that this is only required for OpenSSL < 1.1.0.
  */
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < OPENSSL_1_1_0
 #define HIREDIS_USE_CRYPTO_LOCKS
 #endif
 
@@ -256,13 +258,25 @@ redisSSLContext *redisCreateSSLContextWithOptions(redisSSLOptions *options, redi
     if (ctx == NULL)
         goto error;
 
-    ctx->ssl_ctx = SSL_CTX_new(SSLv23_client_method());
+    const SSL_METHOD *ssl_method;
+#if OPENSSL_VERSION_NUMBER >= OPENSSL_1_1_0
+    ssl_method = TLS_client_method();
+#else
+    ssl_method = SSLv23_client_method();
+#endif
+
+    ctx->ssl_ctx = SSL_CTX_new(ssl_method);
     if (!ctx->ssl_ctx) {
         if (error) *error = REDIS_SSL_CTX_CREATE_FAILED;
         goto error;
     }
 
-    SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+#if OPENSSL_VERSION_NUMBER >= OPENSSL_1_1_0
+    SSL_CTX_set_min_proto_version(ctx->ssl_ctx, TLS1_2_VERSION);
+#else
+    SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
+#endif
+
     SSL_CTX_set_verify(ctx->ssl_ctx, options->verify_mode, NULL);
 
     if ((cert_filename != NULL && private_key_filename == NULL) ||
-- 
cgit v1.2.3