X-Git-Url: https://www.bearssl.org/gitweb//home/git/?p=BoarSSL;a=blobdiff_plain;f=SSLTLS%2FSSLServer.cs;h=71c97d0fd33c8eef531c33826e163eb01395445d;hp=6f39135fab8ab5ecff5215aac26bd1c8be7cadde;hb=a3526e62c383183a1ba5572a3af40912431121fc;hpb=0703319f56ad16f1b0e0632842c41b6a8ebc11e7

diff --git a/SSLTLS/SSLServer.cs b/SSLTLS/SSLServer.cs
index 6f39135..71c97d0 100644
--- a/SSLTLS/SSLServer.cs
+++ b/SSLTLS/SSLServer.cs
@@ -453,6 +453,18 @@ public class SSLServer : SSLEngine {
 		 * resumption).
 		 */
 		Version = Math.Min(ClientVersionMax, VersionMax);
+		string forcedVersion = GetQuirkString("forceVersion");
+		if (forcedVersion != null) {
+			switch (forcedVersion) {
+			case "TLS10": Version = SSL.TLS10; break;
+			case "TLS11": Version = SSL.TLS11; break;
+			case "TLS12": Version = SSL.TLS12; break;
+			default:
+				throw new Exception(string.Format(
+					"Unknown forced version: '{0}'", 
+					forcedVersion));
+			}
+		}
 
 		/*
 		 * Recompute list of acceptable cipher suites. We keep
@@ -471,6 +483,11 @@ public class SSLServer : SSLEngine {
 		CommonCipherSuites = new List<int>();
 		List<int> commonSuitesResume = new List<int>();
 		bool canTLS12 = Version >= SSL.TLS12;
+		bool mustTLS12 = false;
+		if (GetQuirkBool("forceTls12CipherSuite")) {
+			canTLS12 = true;
+			mustTLS12 = true;
+		}
 		bool canSignRSA;
 		bool canSignECDSA;
 		if (Version >= SSL.TLS12) {
@@ -499,6 +516,9 @@ public class SSLServer : SSLEngine {
 			if (!canTLS12 && SSL.IsTLS12(cs)) {
 				continue;
 			}
+			if (mustTLS12 && !SSL.IsTLS12(cs)) {
+				continue;
+			}
 			commonSuitesResume.Add(cs);
 			if (!canECDHE && SSL.IsECDHE(cs)) {
 				continue;