Hi Tim,

While doing some regression testing, I discovered that 0002 breaks non
TLS 1.3 when requested via command line by the user. The 3rd patch
fixes this regression with non TLS 1.3 connections. Attached are all
the 3 patches.

Kind regards,
//Logan
C-x-C-c
From 409b9a60c6cdae88519adf23fad72a69f76f3ba3 Mon Sep 17 00:00:00 2001
From: Loganaden Velvindron <lo...@hackers.mu>
Date: Sun, 11 Jun 2017 18:12:50 +0400
Subject: [PATCH 1/3] Add TLS 1.3 support for OpenSSL following draft-18.

Signed-off-by: Loganaden Velvindron <lo...@hackers.mu>
---
 src/init.c    |  1 +
 src/openssl.c | 16 ++++++++++++++++
 src/options.h |  1 +
 3 files changed, 18 insertions(+)

diff --git a/src/init.c b/src/init.c
index 5f4eefa9..8f2e4427 100644
--- a/src/init.c
+++ b/src/init.c
@@ -1683,6 +1683,7 @@ cmd_spec_secure_protocol (const char *com, const char *val, void *place)
     { "tlsv1", secure_protocol_tlsv1 },
     { "tlsv1_1", secure_protocol_tlsv1_1 },
     { "tlsv1_2", secure_protocol_tlsv1_2 },
+    { "tlsv1_3", secure_protocol_tlsv1_3 },
     { "pfs", secure_protocol_pfs },
   };
   int ok = decode_string (val, choices, countof (choices), place);
diff --git a/src/openssl.c b/src/openssl.c
index 0404d2d0..fefc94f3 100644
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -240,6 +240,19 @@ ssl_init (void)
     case secure_protocol_tlsv1_2:
       meth = TLSv1_2_client_method ();
       break;
+    case secure_protocol_tlsv1_3:
+#ifdef TLS1_3_VERSION
+      meth = TLS_client_method ();
+      ssl_options |= SSL_OP_NO_SSLv2;
+      ssl_options |= SSL_OP_NO_SSLv3;
+      ssl_options |= SSL_OP_NO_TLSv1;
+      ssl_options |= SSL_OP_NO_TLSv1_1;
+      ssl_options |= SSL_OP_NO_TLSv1_2;
+      break;
+#else
+      logprintf (LOG_NOTQUIET, _("Your OpenSSL version hasn't been compiled with TLS 1.3 support\n"));
+      goto error;
+#endif
 #else
     case secure_protocol_tlsv1_1:
       logprintf (LOG_NOTQUIET, _("Your OpenSSL version is too old to support TLSv1.1\n"));
@@ -248,6 +261,9 @@ ssl_init (void)
     case secure_protocol_tlsv1_2:
       logprintf (LOG_NOTQUIET, _("Your OpenSSL version is too old to support TLSv1.2\n"));
       goto error;
+    case secure_protocol_tlsv1_3:
+      logprintf (LOG_NOTQUIET, _("Your OpenSSL version is too old to support TLSv1.3\n"));
+      goto error;
 #endif
 
     default:
diff --git a/src/options.h b/src/options.h
index 39729459..44378fd6 100644
--- a/src/options.h
+++ b/src/options.h
@@ -230,6 +230,7 @@ struct options
     secure_protocol_tlsv1,
     secure_protocol_tlsv1_1,
     secure_protocol_tlsv1_2,
+    secure_protocol_tlsv1_3,
     secure_protocol_pfs
   } secure_protocol;            /* type of secure protocol to use. */
   int check_cert;               /* whether to validate the server's cert */
-- 
2.11.0

From 395f995b1917f2ec73d2ae370fb527efa6849890 Mon Sep 17 00:00:00 2001
From: Loganaden Velvindron <lo...@hackers.mu>
Date: Mon, 14 Aug 2017 11:28:07 +0400
Subject: [PATCH 2/3] Align with recommended way to set minimum protocol
 version

Signed-off-by: Loganaden Velvindron <lo...@hackers.mu>
---
 src/openssl.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/openssl.c b/src/openssl.c
index fefc94f3..cff467d1 100644
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -243,11 +243,6 @@ ssl_init (void)
     case secure_protocol_tlsv1_3:
 #ifdef TLS1_3_VERSION
       meth = TLS_client_method ();
-      ssl_options |= SSL_OP_NO_SSLv2;
-      ssl_options |= SSL_OP_NO_SSLv3;
-      ssl_options |= SSL_OP_NO_TLSv1;
-      ssl_options |= SSL_OP_NO_TLSv1_1;
-      ssl_options |= SSL_OP_NO_TLSv1_2;
       break;
 #else
       logprintf (LOG_NOTQUIET, _("Your OpenSSL version hasn't been compiled with TLS 1.3 support\n"));
@@ -281,6 +276,11 @@ ssl_init (void)
   if (ssl_options)
     SSL_CTX_set_options (ssl_ctx, ssl_options);
 
+#ifdef TLS1_3_VERSION
+  if (SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_3_VERSION) == 0)
+     goto error;
+#endif
+
   /* OpenSSL ciphers: https://www.openssl.org/docs/apps/ciphers.html
    * Since we want a good protection, we also use HIGH (that excludes MD4 ciphers and some more)
    */
-- 
2.11.0

From 67f01bc2667ff5133f0686753dd170f5ffd1e890 Mon Sep 17 00:00:00 2001
From: Loganaden Velvindron <lo...@hackers.mu>
Date: Mon, 14 Aug 2017 14:43:40 +0400
Subject: [PATCH 3/3] Fix regression with older protocols. Set a variable when
 the user specifies tls 1.3 and use this to check what to set the minimum TLS
 level. This unbreaks non tls 1.3 protocols when requested via command line.

Signed-off-by: Loganaden Velvindron <lo...@hackers.mu>
---
 src/openssl.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/openssl.c b/src/openssl.c
index cff467d1..82576493 100644
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -174,6 +174,7 @@ ssl_init (void)
 {
   SSL_METHOD const *meth;
   long ssl_options = 0;
+  bool tlsv1_3;
 
 #if OPENSSL_VERSION_NUMBER >= 0x00907000
   if (ssl_true_initialized == 0)
@@ -243,6 +244,7 @@ ssl_init (void)
     case secure_protocol_tlsv1_3:
 #ifdef TLS1_3_VERSION
       meth = TLS_client_method ();
+      tlsv1_3 = true;
       break;
 #else
       logprintf (LOG_NOTQUIET, _("Your OpenSSL version hasn't been compiled with TLS 1.3 support\n"));
@@ -277,8 +279,10 @@ ssl_init (void)
     SSL_CTX_set_options (ssl_ctx, ssl_options);
 
 #ifdef TLS1_3_VERSION
-  if (SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_3_VERSION) == 0)
-     goto error;
+  if (tlsv1_3) {
+     if (SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_3_VERSION) == 0)
+         goto error;
+  }
 #endif
 
   /* OpenSSL ciphers: https://www.openssl.org/docs/apps/ciphers.html
-- 
2.11.0

Reply via email to