From faa3c9439127eac0fea6125e55e28739e5c19676 Mon Sep 17 00:00:00 2001
From: Davide De Rosa <keeshux@gmail.com>
Date: Fri, 5 Jan 2024 23:10:53 +0100
Subject: [PATCH] Set SSL security level explicitly (#406)

Default value may have been raised in OpenSSL 3, disrupting
operation with less secure certificates.
---
 CHANGELOG.md                               | 1 +
 Sources/CTunnelKitOpenVPNProtocol/TLSBox.m | 4 +---
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e1c7c2d..0a5f5a4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Fixed
 
 - OpenVPN: Bad error mapping. [#404](https://github.com/passepartoutvpn/tunnelkit/pull/404)
+- OpenVPN: Restore default security level. [#406](https://github.com/passepartoutvpn/tunnelkit/pull/406)
 
 ## 6.3.1 (2024-01-05)
 
diff --git a/Sources/CTunnelKitOpenVPNProtocol/TLSBox.m b/Sources/CTunnelKitOpenVPNProtocol/TLSBox.m
index 11d372f..ea924ca 100644
--- a/Sources/CTunnelKitOpenVPNProtocol/TLSBox.m
+++ b/Sources/CTunnelKitOpenVPNProtocol/TLSBox.m
@@ -214,9 +214,7 @@ static BIO *create_BIO_from_PEM(NSString *pem) {
     self.ctx = SSL_CTX_new(TLS_client_method());
     SSL_CTX_set_options(self.ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION);
     SSL_CTX_set_verify(self.ctx, SSL_VERIFY_PEER, TLSBoxVerifyPeer);
-    if (self.securityLevel != TLSBoxDefaultSecurityLevel) {
-        SSL_CTX_set_security_level(self.ctx, (int)self.securityLevel);
-    }
+    SSL_CTX_set_security_level(self.ctx, (int)self.securityLevel);
 
     if (self.caPath) {
         if (!SSL_CTX_load_verify_locations(self.ctx, [self.caPath cStringUsingEncoding:NSASCIIStringEncoding], NULL)) {