From: Amos Jeffries <squid3@treenet.co.nz>
Date: Sun, 19 Jul 2015 08:33:29 +0000 (-0700)
Subject: TLS: Allow tls-min-version=1.3 configuration
X-Git-Tag: merge-candidate-3-v1~38^2~8
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bd71ba998a48984741479fdf5577c4ccf70b878b;p=thirdparty%2Fsquid.git

TLS: Allow tls-min-version=1.3 configuration

Bounds limiting was restricting configuration to <1.2 since those are
the currently available TLS versions. But 1.3 is upcoming and may be
used within the lifetime of this Squid version.

 Detected by Coverity Scan. Issue 1311636
---

diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc
index da19b0177f..26b8e74d04 100644
--- a/src/security/PeerOptions.cc
+++ b/src/security/PeerOptions.cc
@@ -122,9 +122,9 @@ Security::PeerOptions::updateTlsVersionLimits()
     if (!tlsMinVersion.isEmpty()) {
         ::Parser::Tokenizer tok(tlsMinVersion);
         int64_t v = 0;
-        if (tok.skip('1') && tok.skip('.') && tok.int64(v, 10, false, 1) && v <= 2) {
+        if (tok.skip('1') && tok.skip('.') && tok.int64(v, 10, false, 1) && v <= 3) {
             // only account for TLS here - SSL versions are handled by options= parameter
-            // avoid affectign options= parameter in cachemgr config report
+            // avoid affecting options= parameter in cachemgr config report
 #if SSL_OP_NO_TLSv1
             if (v > 0)
                 parsedOptions |= SSL_OP_NO_TLSv1;