On Mon, Jun 12, 2017 at 12:03 AM, Tim Rühsen <[email protected]> wrote: > On Sonntag, 11. Juni 2017 18:16:28 CEST Loganaden Velvindron wrote: >> Hi folks, >> >> Just dropping a short note to let you know that my team (hackers.mu) >> is working on TLS 1.3 support for wget. We are closely tracking the >> OpenSSL tree. >> >> This is a working patch for draft-18. We will keep working on the >> patch for draft-20, until TLS 1.3 is finalized. >> >> >> Added as attachment. > > Hi, > > great to see that someone takes care for TLS 1.3 support for Wget ! > > AFAIK, the finalization of TLS 1.3 is close... so we'll wait with merging > until > then. Your patch makes it easy to experiment with Wget and TLS 1.3 though - > thanks a lot. > > All the Best to you, hackers.mu and Mauritius ! > > Tim
Thank you Tim ! Based on discussion with the OpenSSL team, we've updated our patch for draft-18, and we now make use of SSL_CTX_set_min_proto_version function, which is the recommended way, instead of disabling using SSL_NO_OP*.
From 409b9a60c6cdae88519adf23fad72a69f76f3ba3 Mon Sep 17 00:00:00 2001 From: Loganaden Velvindron <[email protected]> Date: Sun, 11 Jun 2017 18:12:50 +0400 Subject: [PATCH 1/2] Add TLS 1.3 support for OpenSSL following draft-18. Signed-off-by: Loganaden Velvindron <[email protected]> --- src/init.c | 1 + src/openssl.c | 16 ++++++++++++++++ src/options.h | 1 + 3 files changed, 18 insertions(+) diff --git a/src/init.c b/src/init.c index 5f4eefa9..8f2e4427 100644 --- a/src/init.c +++ b/src/init.c @@ -1683,6 +1683,7 @@ cmd_spec_secure_protocol (const char *com, const char *val, void *place) { "tlsv1", secure_protocol_tlsv1 }, { "tlsv1_1", secure_protocol_tlsv1_1 }, { "tlsv1_2", secure_protocol_tlsv1_2 }, + { "tlsv1_3", secure_protocol_tlsv1_3 }, { "pfs", secure_protocol_pfs }, }; int ok = decode_string (val, choices, countof (choices), place); diff --git a/src/openssl.c b/src/openssl.c index 0404d2d0..fefc94f3 100644 --- a/src/openssl.c +++ b/src/openssl.c @@ -240,6 +240,19 @@ ssl_init (void) case secure_protocol_tlsv1_2: meth = TLSv1_2_client_method (); break; + case secure_protocol_tlsv1_3: +#ifdef TLS1_3_VERSION + meth = TLS_client_method (); + ssl_options |= SSL_OP_NO_SSLv2; + ssl_options |= SSL_OP_NO_SSLv3; + ssl_options |= SSL_OP_NO_TLSv1; + ssl_options |= SSL_OP_NO_TLSv1_1; + ssl_options |= SSL_OP_NO_TLSv1_2; + break; +#else + logprintf (LOG_NOTQUIET, _("Your OpenSSL version hasn't been compiled with TLS 1.3 support\n")); + goto error; +#endif #else case secure_protocol_tlsv1_1: logprintf (LOG_NOTQUIET, _("Your OpenSSL version is too old to support TLSv1.1\n")); @@ -248,6 +261,9 @@ ssl_init (void) case secure_protocol_tlsv1_2: logprintf (LOG_NOTQUIET, _("Your OpenSSL version is too old to support TLSv1.2\n")); goto error; + case secure_protocol_tlsv1_3: + logprintf (LOG_NOTQUIET, _("Your OpenSSL version is too old to support TLSv1.3\n")); + goto error; #endif default: diff --git a/src/options.h b/src/options.h index 39729459..44378fd6 100644 --- a/src/options.h +++ b/src/options.h @@ -230,6 +230,7 @@ struct options secure_protocol_tlsv1, secure_protocol_tlsv1_1, secure_protocol_tlsv1_2, + secure_protocol_tlsv1_3, secure_protocol_pfs } secure_protocol; /* type of secure protocol to use. */ int check_cert; /* whether to validate the server's cert */ -- 2.11.0
From 395f995b1917f2ec73d2ae370fb527efa6849890 Mon Sep 17 00:00:00 2001 From: Loganaden Velvindron <[email protected]> Date: Mon, 14 Aug 2017 11:28:07 +0400 Subject: [PATCH 2/2] Align with recommended way to set minimum protocol version Signed-off-by: Loganaden Velvindron <[email protected]> --- src/openssl.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/openssl.c b/src/openssl.c index fefc94f3..cff467d1 100644 --- a/src/openssl.c +++ b/src/openssl.c @@ -243,11 +243,6 @@ ssl_init (void) case secure_protocol_tlsv1_3: #ifdef TLS1_3_VERSION meth = TLS_client_method (); - ssl_options |= SSL_OP_NO_SSLv2; - ssl_options |= SSL_OP_NO_SSLv3; - ssl_options |= SSL_OP_NO_TLSv1; - ssl_options |= SSL_OP_NO_TLSv1_1; - ssl_options |= SSL_OP_NO_TLSv1_2; break; #else logprintf (LOG_NOTQUIET, _("Your OpenSSL version hasn't been compiled with TLS 1.3 support\n")); @@ -281,6 +276,11 @@ ssl_init (void) if (ssl_options) SSL_CTX_set_options (ssl_ctx, ssl_options); +#ifdef TLS1_3_VERSION + if (SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_3_VERSION) == 0) + goto error; +#endif + /* OpenSSL ciphers: https://www.openssl.org/docs/apps/ciphers.html * Since we want a good protection, we also use HIGH (that excludes MD4 ciphers and some more) */ -- 2.11.0
