1 files changed, 19 insertions, 1 deletions

diff --git a/blabouncer.c b/blabouncer.c
index 443c75c..8f2aaf6 100644
--- a/blabouncer.c
+++ b/blabouncer.c
@@ -463,6 +463,18 @@ void dochat(int *serversockfd, int *clientsockfd, struct settings *settings) {
     // Set up and configure client OpenSSL context
     ctx = create_openssl_context(SOURCE_CLIENT);
     configure_openssl_context(ctx, settings->certfile, settings->keyfile);
+
+    // Optionally set OpenSSL security level
+    int ssl_sec_level = -1;
+    if (settings->sslseclevel >= 0) {
+      // SSL_CTX_set_security_level is void, no return to check
+      SSL_CTX_set_security_level(ctx, settings->sslseclevel);
+      ssl_sec_level = SSL_CTX_get_security_level(ctx);
+      debugprint(DEBUG_FULL, "dochat(): Client SSL_CTX security level '%d' requested and got set to '%d'.\n", settings->sslseclevel, ssl_sec_level);
+    } else {
+      ssl_sec_level = SSL_CTX_get_security_level(ctx);
+      debugprint(DEBUG_FULL, "dochat(): sslseclevel unset, no change to SSL_CTX security level requested, still set to '%d'.\n", ssl_sec_level);
+    }
   }
 
   // Let's set up signal handling stuff here since we're about to enter The Big Loop (TM)
@@ -1250,7 +1262,7 @@ int main(int argc, char *argv[]) {
     strncat(conffailmsg, "Error getting 'clienttls' from configuration file.\n", sizeof conffailmsg - strlen(conffailmsg) - 1);
   }
 
-  // If so, load the certificates
+  // If so, load the certificates and optionally configure the security level
   if (settings.clienttls) {
     // What is the certificate file path?
     if (!getconfstr("certfile", settings.conffile, settings.certfile)) {
@@ -1269,6 +1281,12 @@ int main(int argc, char *argv[]) {
         exit(1);
       }
     }
+
+    // Has an OpenSSL security level been specified?
+    settings.sslseclevel = getconfint("sslseclevel", settings.conffile);
+    if (errno == ECONFINT) {
+      settings.sslseclevel = -1;
+    }
   }
 
   // Make sure the base directory exists