diff --git a/client/common/cmdline.c b/client/common/cmdline.c index 598b7287f..ee1755d35 100644 --- a/client/common/cmdline.c +++ b/client/common/cmdline.c @@ -2895,6 +2895,10 @@ int freerdp_client_settings_parse_command_line_arguments(rdpSettings* settings, settings->TlsSecLevel = (UINT32)val; } + CommandLineSwitchCase(arg, "enforce-tlsv1_2") + { + settings->EnforceTLSv1_2 = enable; + } CommandLineSwitchCase(arg, "cert") { int rc = 0; diff --git a/client/common/cmdline.h b/client/common/cmdline.h index d53d2a5c1..6bd678c2d 100644 --- a/client/common/cmdline.h +++ b/client/common/cmdline.h @@ -369,6 +369,8 @@ static const COMMAND_LINE_ARGUMENT_A global_cmd_args[] = { "Allowed TLS ciphers" }, { "tls-seclevel", COMMAND_LINE_VALUE_REQUIRED, "", "1", NULL, -1, NULL, "TLS security level - defaults to 1" }, + { "enforce-tlsv1_2", COMMAND_LINE_VALUE_BOOL, NULL, BoolValueFalse, NULL, -1, NULL, + "Use TLS1.2 for connection." }, { "toggle-fullscreen", COMMAND_LINE_VALUE_BOOL, NULL, BoolValueTrue, NULL, -1, NULL, "Alt+Ctrl+Enter to toggle fullscreen" }, { "tune", COMMAND_LINE_VALUE_REQUIRED, ",", "", NULL, -1, NULL, diff --git a/include/freerdp/settings.h b/include/freerdp/settings.h index aa789e9c9..9eb06c422 100644 --- a/include/freerdp/settings.h +++ b/include/freerdp/settings.h @@ -635,6 +635,7 @@ typedef struct #define FreeRDP_NtlmSamFile (1103) #define FreeRDP_FIPSMode (1104) #define FreeRDP_TlsSecLevel (1105) +#define FreeRDP_EnforceTLSv1_2 (1107) #define FreeRDP_SspiModule (1106) #define FreeRDP_MstscCookieMode (1152) #define FreeRDP_CookieMaxLength (1153) @@ -1123,7 +1124,8 @@ struct rdp_settings ALIGN64 BOOL FIPSMode; /* 1104 */ ALIGN64 UINT32 TlsSecLevel; /* 1105 */ ALIGN64 char* SspiModule; /* 1106 */ - UINT64 padding1152[1152 - 1107]; /* 1107 */ + ALIGN64 BOOL EnforceTLSv1_2; /* 1107 */ + UINT64 padding1152[1152 - 1108]; /* 1108 */ /* Connection Cookie */ ALIGN64 BOOL MstscCookieMode; /* 1152 */ diff --git a/libfreerdp/crypto/tls.c b/libfreerdp/crypto/tls.c index 39e8b9e04..89b6b5af9 100644 --- a/libfreerdp/crypto/tls.c +++ b/libfreerdp/crypto/tls.c @@ -862,7 +862,7 @@ int tls_connect(rdpTls* tls, BIO* underlying) if (!tls_prepare(tls, underlying, SSLv23_client_method(), options, TRUE)) #else - if (!tls_prepare(tls, underlying, TLS_client_method(), options, TRUE)) + if (!tls_prep(tls, underlying, options, TRUE)) #endif return 0; @@ -872,6 +872,18 @@ int tls_connect(rdpTls* tls, BIO* underlying) return tls_do_handshake(tls, TRUE); } +BOOL tls_prep(rdpTls* tls, BIO* underlying, int options, BOOL clientMode) +{ + if (tls->settings->EnforceTLSv1_2) + { + return tls_prepare(tls, underlying, TLSv1_2_client_method(), options, TRUE); + } + else + { + return tls_prepare(tls, underlying, TLS_client_method(), options, TRUE); + } +} + #if defined(MICROSOFT_IOS_SNI_BUG) && !defined(OPENSSL_NO_TLSEXT) && \ !defined(LIBRESSL_VERSION_NUMBER) static void tls_openssl_tlsext_debug_callback(SSL* s, int client_server, int type,