Set SSL security level explicitly (#406)

Default value may have been raised in OpenSSL 3, disrupting operation with less secure certificates.
passepartoutvpn · Jan 5, 2024 · faa3c94 · faa3c94
1 parent a255379
commit faa3c94
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Fixed
 
 - OpenVPN: Bad error mapping. [#404](https://github.com/passepartoutvpn/tunnelkit/pull/404)
+- OpenVPN: Restore default security level. [#406](https://github.com/passepartoutvpn/tunnelkit/pull/406)
 
 ## 6.3.1 (2024-01-05)
 

diff --git a/Sources/CTunnelKitOpenVPNProtocol/TLSBox.m b/Sources/CTunnelKitOpenVPNProtocol/TLSBox.m
@@ -214,9 +214,7 @@ - (BOOL)startWithError:(NSError *__autoreleasing *)error
     self.ctx = SSL_CTX_new(TLS_client_method());
     SSL_CTX_set_options(self.ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION);
     SSL_CTX_set_verify(self.ctx, SSL_VERIFY_PEER, TLSBoxVerifyPeer);
-    if (self.securityLevel != TLSBoxDefaultSecurityLevel) {
-        SSL_CTX_set_security_level(self.ctx, (int)self.securityLevel);
-    }
+    SSL_CTX_set_security_level(self.ctx, (int)self.securityLevel);
 
     if (self.caPath) {
         if (!SSL_CTX_load_verify_locations(self.ctx, [self.caPath cStringUsingEncoding:NSASCIIStringEncoding], NULL)) {