From 98a31fc5be01cbf29dbcd61a77c33f3c7777ea74 Mon Sep 17 00:00:00 2001
From: "Golgowski, Wiktor" <wiktor.golgowski@intel.com>
Date: Fri, 2 Oct 2020 20:46:34 +0200
Subject: Add requirement for TLSv1.1 for VM legacy mode.

This change adds nbdkit curl plugin parameters for specifying TLS
version. VM is configured to support TLSv1.1 or greater.

Tested: manually, TLSv1.0 is not negotiated during connection.

Change-Id: I0d1186534ba3ec2f7937fea65c0cc1f01557cf6e
Signed-off-by: Golgowski, Wiktor <wiktor.golgowski@intel.com>
---
 src/state/activating_state.cpp | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/state/activating_state.cpp b/src/state/activating_state.cpp
index e51640a..8b69fac 100644
--- a/src/state/activating_state.cpp
+++ b/src/state/activating_state.cpp
@@ -233,7 +233,8 @@ std::unique_ptr<resource::Process>
                                        // ... to mount http resource at url
                                        "url=" + url,
                                        // custom OpenBMC path for CA
-                                       "capath=/etc/ssl/certs/authority"};
+                                       "capath=/etc/ssl/certs/authority",
+                                       "ssl-version=tlsv1.1"};
 
     // Authenticate if needed
     if (machine.getTarget()->credentials)
-- 
cgit v1.2.3