1 files changed, 66 insertions, 15 deletions

diff --git a/plugins/sslutils.c b/plugins/sslutils.c
index c9882c69..4f9c793c 100644
--- a/plugins/sslutils.c
+++ b/plugins/sslutils.c
@@ -49,28 +49,78 @@ int np_net_ssl_init_with_hostname_and_version(int sd, char *host_name, int versi
 
 int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int version, char *cert, char *privkey) {
 	SSL_METHOD *method = NULL;
+	long options = 0;
 
 	switch (version) {
-	case 0: /* Deafult to auto negotiation */
-		method = SSLv23_client_method();
-		break;
-	case 1: /* TLSv1 protocol */
-		method = TLSv1_client_method();
-		break;
-	case 2: /* SSLv2 protocol */
+	case MP_SSLv2: /* SSLv2 protocol */
 #if defined(USE_GNUTLS) || defined(OPENSSL_NO_SSL2)
-		printf(("%s\n", _("CRITICAL - SSL protocol version 2 is not supported by your SSL library.")));
-		return STATE_CRITICAL;
+		printf("%s\n", _("UNKNOWN - SSL protocol version 2 is not supported by your SSL library."));
+		return STATE_UNKNOWN;
 #else
 		method = SSLv2_client_method();
-#endif
 		break;
-	case 3: /* SSLv3 protocol */
+#endif
+	case MP_SSLv3: /* SSLv3 protocol */
+#if defined(OPENSSL_NO_SSL3)
+		printf("%s\n", _("UNKNOWN - SSL protocol version 3 is not supported by your SSL library."));
+		return STATE_UNKNOWN;
+#else
 		method = SSLv3_client_method();
 		break;
-	default: /* Unsupported */
-		printf("%s\n", _("CRITICAL - Unsupported SSL protocol version."));
-		return STATE_CRITICAL;
+#endif
+	case MP_TLSv1: /* TLSv1 protocol */
+#if defined(OPENSSL_NO_TLS1)
+		printf("%s\n", _("UNKNOWN - TLS protocol version 1 is not supported by your SSL library."));
+		return STATE_UNKNOWN;
+#else
+		method = TLSv1_client_method();
+		break;
+#endif
+	case MP_TLSv1_1: /* TLSv1.1 protocol */
+#if !defined(SSL_OP_NO_TLSv1_1)
+		printf("%s\n", _("UNKNOWN - TLS protocol version 1.1 is not supported by your SSL library."));
+		return STATE_UNKNOWN;
+#else
+		method = TLSv1_1_client_method();
+		break;
+#endif
+	case MP_TLSv1_2: /* TLSv1.2 protocol */
+#if !defined(SSL_OP_NO_TLSv1_2)
+		printf("%s\n", _("UNKNOWN - TLS protocol version 1.2 is not supported by your SSL library."));
+		return STATE_UNKNOWN;
+#else
+		method = TLSv1_2_client_method();
+		break;
+#endif
+	case MP_TLSv1_2_OR_NEWER:
+#if !defined(SSL_OP_NO_TLSv1_1)
+		printf("%s\n", _("UNKNOWN - Disabling TLSv1.1 is not supported by your SSL library."));
+		return STATE_UNKNOWN;
+#else
+		options |= SSL_OP_NO_TLSv1_1;
+#endif
+		/* FALLTHROUGH */
+	case MP_TLSv1_1_OR_NEWER:
+#if !defined(SSL_OP_NO_TLSv1)
+		printf("%s\n", _("UNKNOWN - Disabling TLSv1 is not supported by your SSL library."));
+		return STATE_UNKNOWN;
+#else
+		options |= SSL_OP_NO_TLSv1;
+#endif
+		/* FALLTHROUGH */
+	case MP_TLSv1_OR_NEWER:
+#if defined(SSL_OP_NO_SSLv3)
+		options |= SSL_OP_NO_SSLv3;
+#endif
+		/* FALLTHROUGH */
+	case MP_SSLv3_OR_NEWER:
+#if defined(SSL_OP_NO_SSLv2)
+		options |= SSL_OP_NO_SSLv2;
+#endif
+	case MP_SSLv2_OR_NEWER:
+		/* FALLTHROUGH */
+	default: /* Default to auto negotiation */
+		method = SSLv23_client_method();
 	}
 	if (!initialized) {
 		/* Initialize SSL context */
@@ -94,8 +144,9 @@ int np_net_ssl_init_with_hostname_version_and_cert(int sd, char *host_name, int
 #endif
 	}
 #ifdef SSL_OP_NO_TICKET
-	SSL_CTX_set_options(c, SSL_OP_NO_TICKET);
+	options |= SSL_OP_NO_TICKET;
 #endif
+	SSL_CTX_set_options(c, options);
 	SSL_CTX_set_mode(c, SSL_MODE_AUTO_RETRY);
 	if ((s = SSL_new(c)) != NULL) {
 #ifdef SSL_set_tlsext_host_name