Add the NO_TLSv1_3 option to available tls-options values (#418)

author Christos Tsantilas <christos@chtsanti.net>

Sat, 15 Jun 2019 08:19:15 +0000 (08:19 +0000)

committer Squid Anubis <squid-anubis@squid-cache.org>

Sun, 16 Jun 2019 10:16:13 +0000 (10:16 +0000)
author Christos Tsantilas <christos@chtsanti.net>
Sat, 15 Jun 2019 08:19:15 +0000 (08:19 +0000)
committer Squid Anubis <squid-anubis@squid-cache.org>
Sun, 16 Jun 2019 10:16:13 +0000 (10:16 +0000)
diff --git a/src/cf.data.pre b/src/cf.data.pre

index 28cf727a1445ebce564b040fd2edaf6d05a05f0b..62f8e9bb604edb81a27d001795ce511981c2bbdf 100644 (file)
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -2909,7 +2909,7 @@ DOC_START
         min-version=1.N
                         The minimum TLS protocol version to permit.
                         To control SSLv3 use the options= parameter.
-                       Supported Values: 1.0 (default), 1.1, 1.2
+                       Supported Values: 1.0 (default), 1.1, 1.2, 1.3
  
         options=...     Specify various TLS/SSL implementation options.
  
diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc

index 51f9c18ef36b69cdf78a413b1f326f5f5899cb33..67052f411d9ff632b405263c52c685a493148960 100644 (file)
--- a/src/security/PeerOptions.cc
+++ b/src/security/PeerOptions.cc
@@ -195,30 +195,30 @@ Security::PeerOptions::updateTlsVersionLimits()
          switch (sslVersion) {
          case 3:
  #if USE_OPENSSL
-            add = ":NO_TLSv1:NO_TLSv1_1:NO_TLSv1_2";
+            add = ":NO_TLSv1:NO_TLSv1_1:NO_TLSv1_2:NO_TLSv1_3";
  #elif USE_GNUTLS
-            add = ":-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2";
+            add = ":-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2:-VERS-TLS1.3";
  #endif
              break;
          case 4:
  #if USE_OPENSSL
-            add = ":NO_SSLv3:NO_TLSv1_1:NO_TLSv1_2";
+            add = ":NO_SSLv3:NO_TLSv1_1:NO_TLSv1_2:NO_TLSv1_3";
  #elif USE_GNUTLS
-            add = ":+VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2";
+            add = ":+VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2:-VERS-TLS1.3";
  #endif
              break;
          case 5:
  #if USE_OPENSSL
-            add = ":NO_SSLv3:NO_TLSv1:NO_TLSv1_2";
+            add = ":NO_SSLv3:NO_TLSv1:NO_TLSv1_2:NO_TLSv1_3";
  #elif USE_GNUTLS
-            add = ":-VERS-TLS1.0:+VERS-TLS1.1:-VERS-TLS1.2";
+            add = ":-VERS-TLS1.0:+VERS-TLS1.1:-VERS-TLS1.2:-VERS-TLS1.3";
  #endif
              break;
          case 6:
  #if USE_OPENSSL
-            add = ":NO_SSLv3:NO_TLSv1:NO_TLSv1_1";
+            add = ":NO_SSLv3:NO_TLSv1:NO_TLSv1_1:NO_TLSv1_3";
  #elif USE_GNUTLS
-            add = ":-VERS-TLS1.0:-VERS-TLS1.1";
+            add = ":-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.3";
  #endif
              break;
          default: // nothing
@@ -401,6 +401,13 @@ static struct ssl_option {
  #else
      { "NO_TLSv1_2", 0 },
  #endif
+#if SSL_OP_NO_TLSv1_3
+    {
+        "NO_TLSv1_3", SSL_OP_NO_TLSv1_3
+    },
+#else
+    { "NO_TLSv1_3", 0 },
+#endif
  #if SSL_OP_NO_COMPRESSION
      {
          "No_Compression", SSL_OP_NO_COMPRESSION
author	Christos Tsantilas <christos@chtsanti.net>
	Sat, 15 Jun 2019 08:19:15 +0000 (08:19 +0000)
committer	Squid Anubis <squid-anubis@squid-cache.org>
	Sun, 16 Jun 2019 10:16:13 +0000 (10:16 +0000)
src/cf.data.pre		patch \| blob \| blame \| history
src/security/PeerOptions.cc		patch \| blob \| blame \| history