Browse code

tls: add support for configuration option TLSv1.3 and TLSv1.3+

Henning Westerholt authored on 17/08/2022 13:55:59
Showing 4 changed files
... ...
@@ -19,6 +19,18 @@
19 19
 		Sets the TLS protocol method. Possible values are:
20 20
 	</para>
21 21
 	<itemizedlist>
22
+			<listitem>
23
+				<para>
24
+				<emphasis>TLSv1.3+</emphasis> - TLSv1.3 or newer (TLSv1.3, ...)
25
+				connections are accepted (available starting with openssl/libssl v1.1.1)
26
+				</para>
27
+			</listitem>
28
+			<listitem>
29
+				<para>
30
+				<emphasis>TLSv1.3</emphasis> - only TLSv1.3 connections are accepted
31
+				(available starting with openssl/libssl v1.1.1)
32
+				</para>
33
+			</listitem>
22 34
 			<listitem>
23 35
 				<para>
24 36
 				<emphasis>TLSv1.2+</emphasis> - TLSv1.2 or newer (TLSv1.3, ...)
... ...
@@ -143,7 +143,7 @@ cfg_def_t	tls_cfg_def[] = {
143 143
 	{"force_run", CFG_VAR_INT | CFG_READONLY, 0, 1, 0, 0,
144 144
 		"force loading the tls module even when initial sanity checks fail"},
145 145
 	{"method",   CFG_VAR_STR | CFG_READONLY, 0, 0, 0, 0,
146
-		"TLS method used (TLSv1.2, TLSv1.1, TLSv1, SSLv3, SSLv2, SSLv23)"},
146
+		"TLS method used (TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, SSLv3, SSLv2, SSLv23)"},
147 147
 	{"server_name",   CFG_VAR_STR | CFG_READONLY, 0, 0, 0, 0,
148 148
 		"Server name (SNI)"},
149 149
 	{"server_name_mode", CFG_VAR_INT | CFG_READONLY, 0, 1, 0, 0,
... ...
@@ -39,11 +39,15 @@
39 39
 #define TLS_OP_TLSv1_PLUS   (TLS_OP_SSLv3_PLUS   | SSL_OP_NO_SSLv3)
40 40
 
41 41
 #ifdef SSL_OP_NO_TLSv1
42
-#  define TLS_OP_TLSv1_1_PLUS (TLS_OP_TLSv1_PLUS   | SSL_OP_NO_TLSv1)
42
+#define TLS_OP_TLSv1_1_PLUS (TLS_OP_TLSv1_PLUS   | SSL_OP_NO_TLSv1)
43 43
 
44
-#  ifdef SSL_OP_NO_TLSv1_1
45
-#    define TLS_OP_TLSv1_2_PLUS (TLS_OP_TLSv1_1_PLUS | SSL_OP_NO_TLSv1_1)
46
-#  endif /*SSL_OP_NO_TLSv1_1*/
44
+#ifdef SSL_OP_NO_TLSv1_1
45
+#define TLS_OP_TLSv1_2_PLUS (TLS_OP_TLSv1_1_PLUS | SSL_OP_NO_TLSv1_1)
46
+#endif /*SSL_OP_NO_TLSv1_1*/
47
+
48
+#ifdef SSL_OP_NO_TLSv1_2
49
+#define TLS_OP_TLSv1_3_PLUS (TLS_OP_TLSv1_2_PLUS | SSL_OP_NO_TLSv1_2)
50
+#endif /*SSL_OP_NO_TLSv1_2*/
47 51
 
48 52
 #endif /*SSL_OP_NO_TLSv1*/
49 53
 
... ...
@@ -70,10 +74,14 @@ enum tls_method {
70 74
 	TLS_USE_TLSv1_2_cli,
71 75
 	TLS_USE_TLSv1_2_srv,
72 76
 	TLS_USE_TLSv1_2,    /* only TLSv1.2 */
77
+	TLS_USE_TLSv1_3_cli,
78
+	TLS_USE_TLSv1_3_srv,
79
+	TLS_USE_TLSv1_3,    /* only TLSv1.3 */
73 80
 	TLS_USE_TLSvRANGE,    /* placeholder - TLSvX ranges must be after it */
74 81
 	TLS_USE_TLSv1_PLUS,   /* TLSv1.0 or greater */
75 82
 	TLS_USE_TLSv1_1_PLUS, /* TLSv1.1 or greater */
76 83
 	TLS_USE_TLSv1_2_PLUS, /* TLSv1.2 or greater */
84
+	TLS_USE_TLSv1_3_PLUS, /* TLSv1.3 or greater */
77 85
 	TLS_METHOD_MAX
78 86
 };
79 87
 
... ...
@@ -401,6 +401,12 @@ static void init_ssl_methods(void)
401 401
 	ssl_methods[TLS_USE_TLSv1_2 - 1] = TLSv1_2_method();
402 402
 #endif
403 403
 
404
+#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(LIBRESSL_VERSION_NUMBER)
405
+	ssl_methods[TLS_USE_TLSv1_3_cli - 1] = TLSv1_3_client_method();
406
+	ssl_methods[TLS_USE_TLSv1_3_srv - 1] = TLSv1_3_server_method();
407
+	ssl_methods[TLS_USE_TLSv1_3 - 1] = TLSv1_3_method();
408
+#endif
409
+
404 410
 	/* ranges of TLS versions (require a minimum TLS version) */
405 411
 	ssl_methods[TLS_USE_TLSv1_PLUS - 1] = (void*)TLS_OP_TLSv1_PLUS;
406 412
 
... ...
@@ -412,6 +418,9 @@ static void init_ssl_methods(void)
412 418
 	ssl_methods[TLS_USE_TLSv1_2_PLUS - 1] = (void*)TLS_OP_TLSv1_2_PLUS;
413 419
 #endif
414 420
 
421
+#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(LIBRESSL_VERSION_NUMBER)
422
+	ssl_methods[TLS_USE_TLSv1_3_PLUS - 1] = (void*)TLS_OP_TLSv1_3_PLUS;
423
+#endif
415 424
 #else
416 425
 	/* openssl 1.1.0+ */
417 426
 	memset(sr_tls_methods, 0, sizeof(sr_tls_methods));
... ...
@@ -463,6 +472,16 @@ static void init_ssl_methods(void)
463 472
 	sr_tls_methods[TLS_USE_TLSv1_2 - 1].TLSMethodMin = TLS1_2_VERSION;
464 473
 	sr_tls_methods[TLS_USE_TLSv1_2 - 1].TLSMethodMax = TLS1_2_VERSION;
465 474
 
475
+	sr_tls_methods[TLS_USE_TLSv1_3_cli - 1].TLSMethod = TLS_client_method();
476
+	sr_tls_methods[TLS_USE_TLSv1_3_cli - 1].TLSMethodMin = TLS1_3_VERSION;
477
+	sr_tls_methods[TLS_USE_TLSv1_3_cli - 1].TLSMethodMax = TLS1_3_VERSION;
478
+	sr_tls_methods[TLS_USE_TLSv1_3_srv - 1].TLSMethod = TLS_server_method();
479
+	sr_tls_methods[TLS_USE_TLSv1_3_srv - 1].TLSMethodMin = TLS1_3_VERSION;
480
+	sr_tls_methods[TLS_USE_TLSv1_3_srv - 1].TLSMethodMax = TLS1_3_VERSION;
481
+	sr_tls_methods[TLS_USE_TLSv1_3 - 1].TLSMethod = TLS_method();
482
+	sr_tls_methods[TLS_USE_TLSv1_3 - 1].TLSMethodMin = TLS1_3_VERSION;
483
+	sr_tls_methods[TLS_USE_TLSv1_3 - 1].TLSMethodMax = TLS1_3_VERSION;
484
+
466 485
 	/* ranges of TLS versions (require a minimum TLS version) */
467 486
 	sr_tls_methods[TLS_USE_TLSv1_PLUS - 1].TLSMethod = TLS_method();
468 487
 	sr_tls_methods[TLS_USE_TLSv1_PLUS - 1].TLSMethodMin = TLS1_VERSION;
... ...
@@ -473,6 +492,9 @@ static void init_ssl_methods(void)
473 492
 	sr_tls_methods[TLS_USE_TLSv1_2_PLUS - 1].TLSMethod = TLS_method();
474 493
 	sr_tls_methods[TLS_USE_TLSv1_2_PLUS - 1].TLSMethodMin = TLS1_2_VERSION;
475 494
 
495
+	sr_tls_methods[TLS_USE_TLSv1_3_PLUS - 1].TLSMethod = TLS_method();
496
+	sr_tls_methods[TLS_USE_TLSv1_3_PLUS - 1].TLSMethodMin = TLS1_3_VERSION;
497
+
476 498
 #endif
477 499
 }
478 500