Dear all, After compiling/upgrading to the latest source with TLSv1.3 server code enabled, I've got Firefox SSL_ERROR_RX_MALFORMED_SERVER_HELLO when tried to access http serviced by relayd. Please find the diff for relayd(8) attached.
Qualys SSL report for the box: https://www.ssllabs.com/ssltest/analyze.html?d=waste.tristero.se&s=2001%3a470%3a1f15%3a1492%3a0%3a0%3a0%3a2 -- With best regards, Pavel Korovin
Index: parse.y =================================================================== RCS file: /cvs/src/usr.sbin/relayd/parse.y,v retrieving revision 1.244 diff -u -p -r1.244 parse.y --- parse.y 12 Feb 2020 21:15:44 -0000 1.244 +++ parse.y 12 May 2020 22:26:09 -0000 @@ -1355,6 +1355,8 @@ flag : STRING { $$ = TLSFLAG_TLSV1_1; else if (strcmp("tlsv1.2", $1) == 0) $$ = TLSFLAG_TLSV1_2; + else if (strcmp("tlsv1.3", $1) == 0) + $$ = TLSFLAG_TLSV1_3; else if (strcmp("cipher-server-preference", $1) == 0) $$ = TLSFLAG_CIPHER_SERVER_PREF; else if (strcmp("client-renegotiation", $1) == 0) Index: relay.c =================================================================== RCS file: /cvs/src/usr.sbin/relayd/relay.c,v retrieving revision 1.250 diff -u -p -r1.250 relay.c --- relay.c 13 Jul 2019 06:53:00 -0000 1.250 +++ relay.c 12 May 2020 22:26:09 -0000 @@ -2066,6 +2066,8 @@ relay_tls_ctx_create_proto(struct protoc protocols |= TLS_PROTOCOL_TLSv1_1; if (proto->tlsflags & TLSFLAG_TLSV1_2) protocols |= TLS_PROTOCOL_TLSv1_2; + if (proto->tlsflags & TLSFLAG_TLSV1_3) + protocols |= TLS_PROTOCOL_TLSv1_3; if (tls_config_set_protocols(tls_cfg, protocols) == -1) { log_warnx("could not set the TLS protocol: %s", tls_config_error(tls_cfg)); Index: relayd.h =================================================================== RCS file: /cvs/src/usr.sbin/relayd/relayd.h,v retrieving revision 1.260 diff -u -p -r1.260 relayd.h --- relayd.h 15 Sep 2019 19:23:29 -0000 1.260 +++ relayd.h 12 May 2020 22:26:09 -0000 @@ -695,15 +695,16 @@ TAILQ_HEAD(relay_rules, relay_rule); #define TLSFLAG_TLSV1_0 0x02 #define TLSFLAG_TLSV1_1 0x04 #define TLSFLAG_TLSV1_2 0x08 -#define TLSFLAG_TLSV1 0x0e +#define TLSFLAG_TLSV1_3 0x10 +#define TLSFLAG_TLSV1 0x1e #define TLSFLAG_VERSION 0x1f #define TLSFLAG_CIPHER_SERVER_PREF 0x20 #define TLSFLAG_CLIENT_RENEG 0x40 #define TLSFLAG_DEFAULT \ - (TLSFLAG_TLSV1_2|TLSFLAG_CIPHER_SERVER_PREF) + (TLSFLAG_TLSV1_3|TLSFLAG_CIPHER_SERVER_PREF) #define TLSFLAG_BITS \ - "\06\01sslv3\02tlsv1.0\03tlsv1.1\04tlsv1.2" \ + "\06\01sslv3\02tlsv1.0\03tlsv1.1\04tlsv1.2\05tlsv1.3" \ "\06cipher-server-preference\07client-renegotiation" #define TLSCIPHERS_DEFAULT "HIGH:!aNULL"