From 9e8b0a283f52e6160626a7ad9f366fe62cc40b06 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 7 Nov 2016 14:38:59 +0100
Subject: openssl: initial TLS 1.3 adaptions

BoringSSL supports TLSv1.3 already, but these changes don't seem to be anough
to get it working.
---
 lib/vtls/openssl.c | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

(limited to 'lib/vtls')

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 24d9d42c1..edfd5356d 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -1548,6 +1548,11 @@ static void ssl_tls_trace(int direction, int ssl_ver, int content_type,
   case TLS1_2_VERSION:
     verstr = "TLSv1.2";
     break;
+#endif
+#ifdef TLS1_3_VERSION
+  case TLS1_3_VERSION:
+    verstr = "TLSv1.3";
+    break;
 #endif
   case 0:
     break;
@@ -1677,6 +1682,10 @@ get_ssl_version_txt(SSL *ssl)
     return "";
 
   switch(SSL_version(ssl)) {
+#ifdef TLS1_3_VERSION
+  case TLS1_3_VERSION:
+    return "TLSv1.3";
+#endif
 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL
   case TLS1_2_VERSION:
     return "TLSv1.2";
@@ -1728,6 +1737,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
   case CURL_SSLVERSION_TLSv1_0:
   case CURL_SSLVERSION_TLSv1_1:
   case CURL_SSLVERSION_TLSv1_2:
+  case CURL_SSLVERSION_TLSv1_3:
     /* it will be handled later with the context options */
 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \
     !defined(LIBRESSL_VERSION_NUMBER)
@@ -1891,6 +1901,16 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
     break;
 #endif
 
+#ifdef TLS1_3_VERSION
+  case CURL_SSLVERSION_TLSv1_3:
+    ctx_options |= SSL_OP_NO_SSLv2;
+    ctx_options |= SSL_OP_NO_SSLv3;
+    ctx_options |= SSL_OP_NO_TLSv1;
+    ctx_options |= SSL_OP_NO_TLSv1_1;
+    ctx_options |= SSL_OP_NO_TLSv1_2;
+    break;
+#endif
+
 #ifndef OPENSSL_NO_SSL2
   case CURL_SSLVERSION_SSLv2:
     ctx_options |= SSL_OP_NO_SSLv3;
-- 
cgit v1.2.3