--- source-trees/gt2-cvs/gsi/gssapi/source/library/globus_i_gsi_gss_utils.c	4 May 2005 00:19:22 -0000	1.39
+++ source-trees/gt2-cvs/gsi/gssapi/source/library/globus_i_gsi_gss_utils.c	10 May 2005 23:45:22 -0000	1.40
@@ -370,7 +370,26 @@
         goto free_cert_dir;
     }
 
-    SSL_set_ssl_method(context->gss_ssl, SSLv3_method());
+    if (globus_i_gsi_gssapi_force_tls)
+    {
+	/* GLOBUS_GSSAPI_FORCE_TLS defined in environment. */
+        GLOBUS_I_GSI_GSSAPI_DEBUG_PRINT(
+            2, "Forcing TLS.\n");
+	SSL_set_ssl_method(context->gss_ssl, TLSv1_method());
+    }
+    else if (cred_usage == GSS_C_INITIATE)
+    {
+	/* For backward compatibility.  Older GSI GSSAPI accepters
+	   will fail if we try to negotiate TLSv1, so stick with SSLv3
+	   when initiating to be safe. */
+	SSL_set_ssl_method(context->gss_ssl, SSLv3_method());
+    }
+    else
+    {
+	/* Accept both SSLv3 and TLSv1. */
+	SSL_set_ssl_method(context->gss_ssl, SSLv23_method());
+    }
+    /* Never use SSLv2. */
     SSL_set_options(context->gss_ssl, 
                     SSL_OP_NO_SSLv2 |
                     SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
@@ -932,6 +951,9 @@
                 char                    cipher_description[256];
                 GLOBUS_I_GSI_GSSAPI_DEBUG_PRINT(
                     2, "SSL handshake finished\n");
+                GLOBUS_I_GSI_GSSAPI_DEBUG_FNPRINTF(
+                    2, (20, "Using %s.\n",
+			SSL_get_version(context_handle->gss_ssl)));
                 GLOBUS_I_GSI_GSSAPI_DEBUG_FPRINTF(
                     2, (globus_i_gsi_gssapi_debug_fstream,
                         "cred_usage=%d\n",
--- source-trees/gt2-cvs/gsi/gssapi/source/library/globus_i_gsi_gss_utils.h	4 May 2005 00:19:22 -0000	1.16
+++ source-trees/gt2-cvs/gsi/gssapi/source/library/globus_i_gsi_gss_utils.h	10 May 2005 23:45:23 -0000	1.17
@@ -202,6 +202,7 @@
                     "%s exiting\n", \
                     _function_name_))
 
+extern int                              globus_i_gsi_gssapi_force_tls;
 
 typedef enum
 {
--- source-trees/gt2-cvs/gsi/gssapi/source/library/inquire_context.c	15 Apr 2005 23:37:19 -0000	1.11
+++ source-trees/gt2-cvs/gsi/gssapi/source/library/inquire_context.c	10 May 2005 23:45:23 -0000	1.12
@@ -15,12 +15,12 @@
  * @author Sam Lang, Sam Meder
  *
  * $RCSfile: inquire_context.c,v $
- * $Revision: 1.11 $
- * $Date: 2005/04/15 23:37:19 $
+ * $Revision: 1.12 $
+ * $Date: 2005/05/10 23:45:23 $
  */
 #endif
 
-static char *rcsid = "$Id: inquire_context.c,v 1.11 2005/04/15 23:37:19 meder Exp $";
+static char *rcsid = "$Id: inquire_context.c,v 1.12 2005/05/10 23:45:23 meder Exp $";
 
 #include "gssapi.h"
 #include "gssapi_openssl.h"
@@ -61,7 +61,6 @@
     OM_uint32                           local_minor_status;
     gss_name_t *			local_name;
     gss_name_t *			peer_name;
-    globus_result_t                     local_result;
     gss_ctx_id_desc *                   context = 
         (gss_ctx_id_desc *)context_handle_P;
     static char *                       _function_name_ =
--- source-trees/gt2-cvs/gsi/gssapi/source/library/module.c	15 Apr 2005 23:37:19 -0000	1.7
+++ source-trees/gt2-cvs/gsi/gssapi/source/library/module.c	10 May 2005 23:45:23 -0000	1.8
@@ -44,6 +44,13 @@
 FILE *                                  globus_i_gsi_gssapi_debug_fstream;
 
 /**
+ * Optionally force use of TLSv1 if GLOBUS_GSSAPI_FORCE_TLS is defined
+ * in the environment.
+ */
+int                                     globus_i_gsi_gssapi_force_tls;
+
+
+/**
  * Module descriptor static initializer.
  */
 globus_module_descriptor_t		globus_i_gsi_gssapi_module =
@@ -111,6 +118,16 @@
         }
     }
 
+        tmp_string = globus_module_getenv("GLOBUS_GSSAPI_FORCE_TLS");
+        if(tmp_string != GLOBUS_NULL)
+        {
+            globus_i_gsi_gssapi_force_tls = 1;
+        }
+        else
+        {
+            globus_i_gsi_gssapi_force_tls = 0;
+        }
+
     GLOBUS_I_GSI_GSSAPI_DEBUG_ENTER;
 
     globus_module_activate(GLOBUS_COMMON_MODULE);