From 3556b83ea2a00d0dd3e4f1ec38adb6837553e451 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Wed, 22 Mar 2017 11:52:45 +0000 Subject: [PATCH] Make the TLSv1.3 downgrade mechanism a configurable option Make it disabled by default. When TLSv1.3 is out of draft we can remove this option and have it enabled all the time. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/3022) --- Configure | 2 ++ INSTALL | 10 ++++++++++ 2 files changed, 12 insertions(+) diff --git a/Configure b/Configure index b7d669c118..191fe73f9e 100755 --- a/Configure +++ b/Configure @@ -407,6 +407,7 @@ my @disablables = ( "tests", "threads", "tls", + "tls13downgrade", "ts", "ubsan", "ui", @@ -451,6 +452,7 @@ our %disabled = ( # "what" => "comment" "ubsan" => "default", #TODO(TLS1.3): Temporarily disabled while this is a WIP "tls1_3" => "default", + "tls13downgrade" => "default", "unit-test" => "default", "weak-ssl-ciphers" => "default", "zlib" => "default", diff --git a/INSTALL b/INSTALL index d741b9f5a0..59486efbb4 100644 --- a/INSTALL +++ b/INSTALL @@ -427,6 +427,16 @@ require additional system-dependent options! See "Note on multi-threading" below. + enable-tls13downgrade + TODO(TLS1.3): Make this enabled by default and remove the + option when TLSv1.3 is out of draft + TLSv1.3 offers a downgrade protection mechanism. This is + implemented but disabled by default. It should not typically + be enabled except for testing purposes. Otherwise this could + cause problems if a pre-RFC version of OpenSSL talks to an + RFC implementation (it will erroneously be detected as a + downgrade). + no-ts Don't build Time Stamping Authority support. -- 2.39.5