Add the NO_TLSv1_3 option to available tls-options values (#418)

author Christos Tsantilas <christos@chtsanti.net>

Sat, 15 Jun 2019 08:19:15 +0000 (08:19 +0000)

committer Amos Jeffries <yadij@users.noreply.github.com>

Thu, 4 Jul 2019 11:01:16 +0000 (23:01 +1200)
author Christos Tsantilas <christos@chtsanti.net>
Sat, 15 Jun 2019 08:19:15 +0000 (08:19 +0000)
committer Amos Jeffries <yadij@users.noreply.github.com>
Thu, 4 Jul 2019 11:01:16 +0000 (23:01 +1200)
diff --git a/src/cf.data.pre b/src/cf.data.pre

index d4f75ae8168c16e918066d6802d37cd4367a4e10..513a04f140824c4f1ffa37d04d5342de9439ac1d 100644 (file)
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -2751,7 +2751,7 @@ DOC_START
         min-version=1.N
                         The minimum TLS protocol version to permit.
                         To control SSLv3 use the options= parameter.
-                       Supported Values: 1.0 (default), 1.1, 1.2
+                       Supported Values: 1.0 (default), 1.1, 1.2, 1.3
  
         options=...     Specify various TLS/SSL implementation options.
  
diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc

index 51f9c18ef36b69cdf78a413b1f326f5f5899cb33..67052f411d9ff632b405263c52c685a493148960 100644 (file)
--- a/src/security/PeerOptions.cc
+++ b/src/security/PeerOptions.cc
@@ -195,30 +195,30 @@ Security::PeerOptions::updateTlsVersionLimits()
          switch (sslVersion) {
          case 3:
  #if USE_OPENSSL
-            add = ":NO_TLSv1:NO_TLSv1_1:NO_TLSv1_2";
+            add = ":NO_TLSv1:NO_TLSv1_1:NO_TLSv1_2:NO_TLSv1_3";
  #elif USE_GNUTLS
-            add = ":-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2";
+            add = ":-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2:-VERS-TLS1.3";
  #endif
              break;
          case 4:
  #if USE_OPENSSL
-            add = ":NO_SSLv3:NO_TLSv1_1:NO_TLSv1_2";
+            add = ":NO_SSLv3:NO_TLSv1_1:NO_TLSv1_2:NO_TLSv1_3";
  #elif USE_GNUTLS
-            add = ":+VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2";
+            add = ":+VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2:-VERS-TLS1.3";
  #endif
              break;
          case 5:
  #if USE_OPENSSL
-            add = ":NO_SSLv3:NO_TLSv1:NO_TLSv1_2";
+            add = ":NO_SSLv3:NO_TLSv1:NO_TLSv1_2:NO_TLSv1_3";
  #elif USE_GNUTLS
-            add = ":-VERS-TLS1.0:+VERS-TLS1.1:-VERS-TLS1.2";
+            add = ":-VERS-TLS1.0:+VERS-TLS1.1:-VERS-TLS1.2:-VERS-TLS1.3";
  #endif
              break;
          case 6:
  #if USE_OPENSSL
-            add = ":NO_SSLv3:NO_TLSv1:NO_TLSv1_1";
+            add = ":NO_SSLv3:NO_TLSv1:NO_TLSv1_1:NO_TLSv1_3";
  #elif USE_GNUTLS
-            add = ":-VERS-TLS1.0:-VERS-TLS1.1";
+            add = ":-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.3";
  #endif
              break;
          default: // nothing
@@ -401,6 +401,13 @@ static struct ssl_option {
  #else
      { "NO_TLSv1_2", 0 },
  #endif
+#if SSL_OP_NO_TLSv1_3
+    {
+        "NO_TLSv1_3", SSL_OP_NO_TLSv1_3
+    },
+#else
+    { "NO_TLSv1_3", 0 },
+#endif
  #if SSL_OP_NO_COMPRESSION
      {
          "No_Compression", SSL_OP_NO_COMPRESSION
author	Christos Tsantilas <christos@chtsanti.net>
	Sat, 15 Jun 2019 08:19:15 +0000 (08:19 +0000)
committer	Amos Jeffries <yadij@users.noreply.github.com>
	Thu, 4 Jul 2019 11:01:16 +0000 (23:01 +1200)
src/cf.data.pre		patch \| blob \| blame \| history
src/security/PeerOptions.cc		patch \| blob \| blame \| history