From: Christos Tsantilas <christos@chtsanti.net>
Date: Sat, 15 Jun 2019 08:19:15 +0000 (+0000)
Subject: Add the NO_TLSv1_3 option to available  tls-options values (#418)
X-Git-Tag: SQUID_5_0_1~81
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d39e23a03b3281e70f906991d08019449a3b8368;p=thirdparty%2Fsquid.git

Add the NO_TLSv1_3 option to available  tls-options values (#418)

... also fix the deprecated sslversion option to exclude tls v1.3 from
allowed protocols where required.

This is a Measurement Factory project
---

diff --git a/src/cf.data.pre b/src/cf.data.pre
index 28cf727a14..62f8e9bb60 100644
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -2909,7 +2909,7 @@ DOC_START
 	min-version=1.N
 			The minimum TLS protocol version to permit.
 			To control SSLv3 use the options= parameter.
-			Supported Values: 1.0 (default), 1.1, 1.2
+			Supported Values: 1.0 (default), 1.1, 1.2, 1.3
 
 	options=...	Specify various TLS/SSL implementation options.
 
diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc
index 51f9c18ef3..67052f411d 100644
--- a/src/security/PeerOptions.cc
+++ b/src/security/PeerOptions.cc
@@ -195,30 +195,30 @@ Security::PeerOptions::updateTlsVersionLimits()
         switch (sslVersion) {
         case 3:
 #if USE_OPENSSL
-            add = ":NO_TLSv1:NO_TLSv1_1:NO_TLSv1_2";
+            add = ":NO_TLSv1:NO_TLSv1_1:NO_TLSv1_2:NO_TLSv1_3";
 #elif USE_GNUTLS
-            add = ":-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2";
+            add = ":-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2:-VERS-TLS1.3";
 #endif
             break;
         case 4:
 #if USE_OPENSSL
-            add = ":NO_SSLv3:NO_TLSv1_1:NO_TLSv1_2";
+            add = ":NO_SSLv3:NO_TLSv1_1:NO_TLSv1_2:NO_TLSv1_3";
 #elif USE_GNUTLS
-            add = ":+VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2";
+            add = ":+VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2:-VERS-TLS1.3";
 #endif
             break;
         case 5:
 #if USE_OPENSSL
-            add = ":NO_SSLv3:NO_TLSv1:NO_TLSv1_2";
+            add = ":NO_SSLv3:NO_TLSv1:NO_TLSv1_2:NO_TLSv1_3";
 #elif USE_GNUTLS
-            add = ":-VERS-TLS1.0:+VERS-TLS1.1:-VERS-TLS1.2";
+            add = ":-VERS-TLS1.0:+VERS-TLS1.1:-VERS-TLS1.2:-VERS-TLS1.3";
 #endif
             break;
         case 6:
 #if USE_OPENSSL
-            add = ":NO_SSLv3:NO_TLSv1:NO_TLSv1_1";
+            add = ":NO_SSLv3:NO_TLSv1:NO_TLSv1_1:NO_TLSv1_3";
 #elif USE_GNUTLS
-            add = ":-VERS-TLS1.0:-VERS-TLS1.1";
+            add = ":-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.3";
 #endif
             break;
         default: // nothing
@@ -401,6 +401,13 @@ static struct ssl_option {
 #else
     { "NO_TLSv1_2", 0 },
 #endif
+#if SSL_OP_NO_TLSv1_3
+    {
+        "NO_TLSv1_3", SSL_OP_NO_TLSv1_3
+    },
+#else
+    { "NO_TLSv1_3", 0 },
+#endif
 #if SSL_OP_NO_COMPRESSION
     {
         "No_Compression", SSL_OP_NO_COMPRESSION