relayd(8) TLSv1.3 diff

Tue, 12 May 2020 15:29:22 -0700 

Dear all,

After compiling/upgrading to the latest source with TLSv1.3 server code enabled,
I've got Firefox SSL_ERROR_RX_MALFORMED_SERVER_HELLO when tried to access http
serviced by relayd.
Please find the diff for relayd(8) attached.

Qualys SSL report for the box:
https://www.ssllabs.com/ssltest/analyze.html?d=waste.tristero.se&s=2001%3a470%3a1f15%3a1492%3a0%3a0%3a0%3a2

-- 
With best regards,
Pavel Korovin

Index: parse.y
===================================================================
RCS file: /cvs/src/usr.sbin/relayd/parse.y,v
retrieving revision 1.244
diff -u -p -r1.244 parse.y
--- parse.y     12 Feb 2020 21:15:44 -0000      1.244
+++ parse.y     12 May 2020 22:26:09 -0000
@@ -1355,6 +1355,8 @@ flag              : STRING                        {
                                $$ = TLSFLAG_TLSV1_1;
                        else if (strcmp("tlsv1.2", $1) == 0)
                                $$ = TLSFLAG_TLSV1_2;
+                       else if (strcmp("tlsv1.3", $1) == 0)
+                               $$ = TLSFLAG_TLSV1_3;
                        else if (strcmp("cipher-server-preference", $1) == 0)
                                $$ = TLSFLAG_CIPHER_SERVER_PREF;
                        else if (strcmp("client-renegotiation", $1) == 0)
Index: relay.c
===================================================================
RCS file: /cvs/src/usr.sbin/relayd/relay.c,v
retrieving revision 1.250
diff -u -p -r1.250 relay.c
--- relay.c     13 Jul 2019 06:53:00 -0000      1.250
+++ relay.c     12 May 2020 22:26:09 -0000
@@ -2066,6 +2066,8 @@ relay_tls_ctx_create_proto(struct protoc
                protocols |= TLS_PROTOCOL_TLSv1_1;
        if (proto->tlsflags & TLSFLAG_TLSV1_2)
                protocols |= TLS_PROTOCOL_TLSv1_2;
+       if (proto->tlsflags & TLSFLAG_TLSV1_3)
+               protocols |= TLS_PROTOCOL_TLSv1_3;
        if (tls_config_set_protocols(tls_cfg, protocols) == -1) {
                log_warnx("could not set the TLS protocol: %s",
                    tls_config_error(tls_cfg));
Index: relayd.h
===================================================================
RCS file: /cvs/src/usr.sbin/relayd/relayd.h,v
retrieving revision 1.260
diff -u -p -r1.260 relayd.h
--- relayd.h    15 Sep 2019 19:23:29 -0000      1.260
+++ relayd.h    12 May 2020 22:26:09 -0000
@@ -695,15 +695,16 @@ TAILQ_HEAD(relay_rules, relay_rule);
 #define TLSFLAG_TLSV1_0                                0x02
 #define TLSFLAG_TLSV1_1                                0x04
 #define TLSFLAG_TLSV1_2                                0x08
-#define TLSFLAG_TLSV1                          0x0e
+#define TLSFLAG_TLSV1_3                                0x10
+#define TLSFLAG_TLSV1                          0x1e
 #define TLSFLAG_VERSION                                0x1f
 #define TLSFLAG_CIPHER_SERVER_PREF             0x20
 #define TLSFLAG_CLIENT_RENEG                   0x40
 #define TLSFLAG_DEFAULT                                \
-       (TLSFLAG_TLSV1_2|TLSFLAG_CIPHER_SERVER_PREF)
+       (TLSFLAG_TLSV1_3|TLSFLAG_CIPHER_SERVER_PREF)
 
 #define TLSFLAG_BITS                                           \
-       "\06\01sslv3\02tlsv1.0\03tlsv1.1\04tlsv1.2"     \
+       "\06\01sslv3\02tlsv1.0\03tlsv1.1\04tlsv1.2\05tlsv1.3"   \
        "\06cipher-server-preference\07client-renegotiation"
 
 #define TLSCIPHERS_DEFAULT     "HIGH:!aNULL"

Reply via email to