The branch main has been updated by eugen: URL: https://cgit.FreeBSD.org/src/commit/?id=129aec72250266e60c07ff4643623188f7c27a9d
commit 129aec72250266e60c07ff4643623188f7c27a9d Author: Eugene Grosbein <[email protected]> AuthorDate: 2026-01-22 14:37:54 +0000 Commit: Eugene Grosbein <[email protected]> CommitDate: 2026-01-22 14:37:54 +0000 libfetch: allow disabling TLS v1.3 when the connection MFC after: 3 days --- lib/libfetch/common.c | 2 ++ lib/libfetch/fetch.3 | 12 ++++++++---- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/lib/libfetch/common.c b/lib/libfetch/common.c index a9935ef176da..9b36a9e61a75 100644 --- a/lib/libfetch/common.c +++ b/lib/libfetch/common.c @@ -1048,6 +1048,8 @@ fetch_ssl_setup_transport_layer(SSL_CTX *ctx, int verbose) ssl_ctx_options |= SSL_OP_NO_TLSv1_1; if (getenv("SSL_NO_TLS1_2") != NULL) ssl_ctx_options |= SSL_OP_NO_TLSv1_2; + if (getenv("SSL_NO_TLS1_3") != NULL) + ssl_ctx_options |= SSL_OP_NO_TLSv1_3; if (verbose) fetch_info("SSL options: %lx", ssl_ctx_options); SSL_CTX_set_options(ctx, ssl_ctx_options); diff --git a/lib/libfetch/fetch.3 b/lib/libfetch/fetch.3 index 5f7489799cf6..20a22a263b5b 100644 --- a/lib/libfetch/fetch.3 +++ b/lib/libfetch/fetch.3 @@ -24,7 +24,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd October 7, 2023 +.Dd January 22, 2026 .Dt FETCH 3 .Os .Sh NAME @@ -450,9 +450,11 @@ allows TLSv1 and newer when negotiating the connecting with the remote peer. You can change this behavior by setting the .Ev SSL_NO_TLS1 , -.Ev SSL_NO_TLS1_1 and -.Ev SSL_NO_TLS1_2 -environment variables to disable TLS 1.0, 1.1 and 1.2 respectively. +.Ev SSL_NO_TLS1_1 , +.Ev SSL_NO_TLS1_2 and +.Ev SSL_NO_TLS1_3 +environment variables to disable TLS 1.0, 1.1, 1.2 and 1.3 +respectively. .Sh AUTHENTICATION Apart from setting the appropriate environment variables and specifying the user name and password in the URL or the @@ -676,6 +678,8 @@ Do not allow TLS version 1.0 when negotiating the connection. Do not allow TLS version 1.1 when negotiating the connection. .It Ev SSL_NO_TLS1_2 Do not allow TLS version 1.2 when negotiating the connection. +.It Ev SSL_NO_TLS1_3 +Do not allow TLS version 1.3 when negotiating the connection. .It Ev SSL_NO_VERIFY_HOSTNAME If set, do not verify that the hostname matches the subject of the certificate presented by the server.
