From 9e8b0a283f52e6160626a7ad9f366fe62cc40b06 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 7 Nov 2016 14:38:59 +0100 Subject: openssl: initial TLS 1.3 adaptions BoringSSL supports TLSv1.3 already, but these changes don't seem to be anough to get it working. --- lib/vtls/openssl.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) (limited to 'lib') diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 24d9d42c1..edfd5356d 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -1548,6 +1548,11 @@ static void ssl_tls_trace(int direction, int ssl_ver, int content_type, case TLS1_2_VERSION: verstr = "TLSv1.2"; break; +#endif +#ifdef TLS1_3_VERSION + case TLS1_3_VERSION: + verstr = "TLSv1.3"; + break; #endif case 0: break; @@ -1677,6 +1682,10 @@ get_ssl_version_txt(SSL *ssl) return ""; switch(SSL_version(ssl)) { +#ifdef TLS1_3_VERSION + case TLS1_3_VERSION: + return "TLSv1.3"; +#endif #if OPENSSL_VERSION_NUMBER >= 0x1000100FL case TLS1_2_VERSION: return "TLSv1.2"; @@ -1728,6 +1737,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) case CURL_SSLVERSION_TLSv1_0: case CURL_SSLVERSION_TLSv1_1: case CURL_SSLVERSION_TLSv1_2: + case CURL_SSLVERSION_TLSv1_3: /* it will be handled later with the context options */ #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \ !defined(LIBRESSL_VERSION_NUMBER) @@ -1891,6 +1901,16 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) break; #endif +#ifdef TLS1_3_VERSION + case CURL_SSLVERSION_TLSv1_3: + ctx_options |= SSL_OP_NO_SSLv2; + ctx_options |= SSL_OP_NO_SSLv3; + ctx_options |= SSL_OP_NO_TLSv1; + ctx_options |= SSL_OP_NO_TLSv1_1; + ctx_options |= SSL_OP_NO_TLSv1_2; + break; +#endif + #ifndef OPENSSL_NO_SSL2 case CURL_SSLVERSION_SSLv2: ctx_options |= SSL_OP_NO_SSLv3; -- cgit v1.2.3