From 4864ee17347323d7f5446c0a079c8a8728be30d9 Mon Sep 17 00:00:00 2001
From: Elias Norberg <elias@aisle.se>
Date: Fri, 1 May 2020 14:08:02 +0200
Subject: [PATCH] Always set security level to 0 for openssl versions >= 1.1.0

In version 1.1.0 of OpenSSL, a security level was introduced that enforces specific settings for certificates etc.
This PR sets the security level to 0, to retain the functionality that
previous versions of openssl had, and preventing errors like:

140088222534656:error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak:../ssl/ssl_rsa.c:310

See https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_security_level.html for more information about security levels.

Signed-off-by: Elias Norberg <elias@aisle.se>
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
---
 openssl.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/openssl.c b/openssl.c
index ac0d919a..5f71139e 100644
--- a/openssl.c
+++ b/openssl.c
@@ -1698,6 +1698,17 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
 		SSL_CTX_set_options(vpninfo->https_ctx, SSL_OP_NO_TICKET);
 #endif
 
+#if OPENSSL_VERSION_NUMBER >= 0x010100000L
+		/* OpenSSL versions after 1.1.0 added the notion of a "security level"
+		 * that enforces checks on certificates and ciphers.
+		 * These security levels overlap in functionality with the ciphersuite
+		 * priority/allow-strings.
+		 *
+		 * For now we will set the security level to 0, thus reverting
+		 * to the functionality seen in versions before 1.1.0. */
+		SSL_CTX_set_security_level(vpninfo->https_ctx, 0);
+#endif
+
 		if (vpninfo->cert) {
 			err = load_certificate(vpninfo);
 			if (!err && !SSL_CTX_check_private_key(vpninfo->https_ctx)) {