Hi folks, Just dropping a short note to let you know that my team (hackers.mu) is working on TLS 1.3 support for wget. We are closely tracking the OpenSSL tree.
This is a working patch for draft-18. We will keep working on the patch for draft-20, until TLS 1.3 is finalized. Added as attachment.
From 409b9a60c6cdae88519adf23fad72a69f76f3ba3 Mon Sep 17 00:00:00 2001 From: Loganaden Velvindron <[email protected]> Date: Sun, 11 Jun 2017 18:12:50 +0400 Subject: [PATCH] Add TLS 1.3 support for OpenSSL following draft-18. Signed-off-by: Loganaden Velvindron <[email protected]> --- src/init.c | 1 + src/openssl.c | 16 ++++++++++++++++ src/options.h | 1 + 3 files changed, 18 insertions(+) diff --git a/src/init.c b/src/init.c index 5f4eefa9..8f2e4427 100644 --- a/src/init.c +++ b/src/init.c @@ -1683,6 +1683,7 @@ cmd_spec_secure_protocol (const char *com, const char *val, void *place) { "tlsv1", secure_protocol_tlsv1 }, { "tlsv1_1", secure_protocol_tlsv1_1 }, { "tlsv1_2", secure_protocol_tlsv1_2 }, + { "tlsv1_3", secure_protocol_tlsv1_3 }, { "pfs", secure_protocol_pfs }, }; int ok = decode_string (val, choices, countof (choices), place); diff --git a/src/openssl.c b/src/openssl.c index 0404d2d0..fefc94f3 100644 --- a/src/openssl.c +++ b/src/openssl.c @@ -240,6 +240,19 @@ ssl_init (void) case secure_protocol_tlsv1_2: meth = TLSv1_2_client_method (); break; + case secure_protocol_tlsv1_3: +#ifdef TLS1_3_VERSION + meth = TLS_client_method (); + ssl_options |= SSL_OP_NO_SSLv2; + ssl_options |= SSL_OP_NO_SSLv3; + ssl_options |= SSL_OP_NO_TLSv1; + ssl_options |= SSL_OP_NO_TLSv1_1; + ssl_options |= SSL_OP_NO_TLSv1_2; + break; +#else + logprintf (LOG_NOTQUIET, _("Your OpenSSL version hasn't been compiled with TLS 1.3 support\n")); + goto error; +#endif #else case secure_protocol_tlsv1_1: logprintf (LOG_NOTQUIET, _("Your OpenSSL version is too old to support TLSv1.1\n")); @@ -248,6 +261,9 @@ ssl_init (void) case secure_protocol_tlsv1_2: logprintf (LOG_NOTQUIET, _("Your OpenSSL version is too old to support TLSv1.2\n")); goto error; + case secure_protocol_tlsv1_3: + logprintf (LOG_NOTQUIET, _("Your OpenSSL version is too old to support TLSv1.3\n")); + goto error; #endif default: diff --git a/src/options.h b/src/options.h index 39729459..44378fd6 100644 --- a/src/options.h +++ b/src/options.h @@ -230,6 +230,7 @@ struct options secure_protocol_tlsv1, secure_protocol_tlsv1_1, secure_protocol_tlsv1_2, + secure_protocol_tlsv1_3, secure_protocol_pfs } secure_protocol; /* type of secure protocol to use. */ int check_cert; /* whether to validate the server's cert */ -- 2.11.0
