MINOR: ssl: support TLSv1.3 for bind and server
This patch add 'no-tlsv13' and 'force-tlsv13' configuration. This is
only useful with openssl-dev and boringssl.
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 68cffd4..4486a1c 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -10434,6 +10434,11 @@
this listener. This option is also available on global statement
"ssl-default-bind-options". See also "no-tlsv*", and "no-sslv3".
+force-tlsv13
+ This option enforces use of TLSv1.3 only on SSL connections instantiated from
+ this listener. This option is also available on global statement
+ "ssl-default-bind-options". See also "no-tlsv*", and "no-sslv3".
+
generate-certificates
This setting is only available when support for OpenSSL was built in. It
enables the dynamic SSL certificates generation. A CA certificate and its
@@ -10584,6 +10589,14 @@
available on global statement "ssl-default-bind-options". See also
"force-tlsv*", and "force-sslv3".
+no-tlsv13
+ This setting is only available when support for OpenSSL was built in. It
+ disables support for TLSv1.3 on any sockets instantiated from the listener
+ when SSL is supported. Note that SSLv2 is forced disabled in the code and
+ cannot be enabled using any configuration option. This option is also
+ available on global statement "ssl-default-bind-options". See also
+ "force-tlsv*", and "force-sslv3".
+
npn <protocols>
This enables the NPN TLS extension and advertises the specified protocol list
as supported on top of NPN. The protocol list consists in a comma-delimited
@@ -10974,6 +10987,13 @@
Supported in default-server: No
+force-tlsv13
+ This option enforces use of TLSv1.3 only when SSL is used to communicate with
+ the server. This option is also available on global statement
+ "ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
+
+ Supported in default-server: No
+
id <value>
Set a persistent ID for the server. This ID must be positive and unique for
the proxy. An unused ID will automatically be assigned if unset. The first
@@ -11161,7 +11181,7 @@
using any configuration option. TLSv1 is more expensive than SSLv3 so it
often makes sense to disable it when communicating with local servers. This
option is also available on global statement "ssl-default-server-options".
- See also "tlsv10", "force-sslv3", "force-tlsv*".
+ See also "force-sslv3", "force-tlsv*".
Supported in default-server: No
@@ -11171,7 +11191,7 @@
using any configuration option. TLSv1 is more expensive than SSLv3 so it
often makes sense to disable it when communicating with local servers. This
option is also available on global statement "ssl-default-server-options".
- See also "tlsv11", "force-sslv3", "force-tlsv*".
+ See also "force-sslv3", "force-tlsv*".
Supported in default-server: No
@@ -11181,7 +11201,17 @@
using any configuration option. TLSv1 is more expensive than SSLv3 so it
often makes sense to disable it when communicating with local servers. This
option is also available on global statement "ssl-default-server-options".
+ See also "force-sslv3", "force-tlsv*".
+
+ Supported in default-server: No
+
+no-tlsv13
+ This option disables support for TLSv1.3 when SSL is used to communicate with
+ the server. Note that SSLv2 is disabled in the code and cannot be enabled
+ using any configuration option. TLSv1 is more expensive than SSLv3 so it
+ often makes sense to disable it when communicating with local servers. This
+ option is also available on global statement "ssl-default-server-options".
- See also "tlsv12", "force-sslv3", "force-tlsv*".
+ See also "force-sslv3", "force-tlsv*".
Supported in default-server: No
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 9cbdad9..63c0f79 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -126,6 +126,7 @@
#define MC_SSL_O_NO_TLSV10 0x0002 /* disable TLSv10 */
#define MC_SSL_O_NO_TLSV11 0x0004 /* disable TLSv11 */
#define MC_SSL_O_NO_TLSV12 0x0008 /* disable TLSv12 */
+#define MC_SSL_O_NO_TLSV13 0x0010 /* disable TLSv13 */
/* ssl_methods versions */
enum {
@@ -135,7 +136,8 @@
CONF_TLSV10 = 2,
CONF_TLSV11 = 3,
CONF_TLSV12 = 4,
- CONF_TLSV_MAX = 4,
+ CONF_TLSV13 = 5,
+ CONF_TLSV_MAX = 5,
};
/* server and bind verify method, it uses a global value as default */
@@ -3181,6 +3183,9 @@
#ifndef SSL_OP_NO_TLSv1_2 /* needs OpenSSL >= 1.0.1 */
#define SSL_OP_NO_TLSv1_2 0
#endif
+#ifndef SSL_OP_NO_TLSv1_3 /* dev */
+#define SSL_OP_NO_TLSv1_3 0
+#endif
#ifndef SSL_OP_SINGLE_DH_USE /* needs OpenSSL >= 0.9.6 */
#define SSL_OP_SINGLE_DH_USE 0
#endif
@@ -3218,6 +3223,9 @@
: SSL_CTX_set_ssl_version(ctx, TLSv1_2_client_method());
#endif
}
+static void ssl_set_TLSv13_func(SSL_CTX *ctx, int is_server) {
+ /* TLS 1.2 is the last supported version in this context. */
+}
#else /* openssl >= 1.1.0 */
static void ssl_set_SSLv3_func(SSL_CTX *ctx, int is_max) {
is_max ? SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION)
@@ -3235,6 +3243,12 @@
is_max ? SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION)
: SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
}
+static void ssl_set_TLSv13_func(SSL_CTX *ctx, int is_max) {
+#if SSL_OP_NO_TLSv1_3
+ is_max ? SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION)
+ : SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION);
+#endif
+}
#endif
static void ssl_set_None_func(SSL_CTX *ctx, int i) {
}
@@ -3250,6 +3264,7 @@
{SSL_OP_NO_TLSv1, MC_SSL_O_NO_TLSV10, ssl_set_TLSv10_func, "TLSv1.0"}, /* CONF_TLSV10 */
{SSL_OP_NO_TLSv1_1, MC_SSL_O_NO_TLSV11, ssl_set_TLSv11_func, "TLSv1.1"}, /* CONF_TLSV11 */
{SSL_OP_NO_TLSv1_2, MC_SSL_O_NO_TLSV12, ssl_set_TLSv12_func, "TLSv1.2"}, /* CONF_TLSV12 */
+ {SSL_OP_NO_TLSv1_3, MC_SSL_O_NO_TLSV13, ssl_set_TLSv13_func, "TLSv1.3"}, /* CONF_TLSV13 */
};
/* Create an initial CTX used to start the SSL connection before switchctx */
@@ -6229,6 +6244,8 @@
v = CONF_TLSV11;
else if (!strcmp(p, "tlsv12"))
v = CONF_TLSV12;
+ else if (!strcmp(p, "tlsv13"))
+ v = CONF_TLSV13;
else
return 1;
if (!strncmp(arg, "no-", 3))
@@ -7375,11 +7392,13 @@
{ "force-tlsv10", bind_parse_tls_method_options, 0 }, /* force TLSv10 */
{ "force-tlsv11", bind_parse_tls_method_options, 0 }, /* force TLSv11 */
{ "force-tlsv12", bind_parse_tls_method_options, 0 }, /* force TLSv12 */
+ { "force-tlsv13", bind_parse_tls_method_options, 0 }, /* force TLSv13 */
{ "generate-certificates", bind_parse_generate_certs, 0 }, /* enable the server certificates generation */
{ "no-sslv3", bind_parse_tls_method_options, 0 }, /* disable SSLv3 */
{ "no-tlsv10", bind_parse_tls_method_options, 0 }, /* disable TLSv10 */
{ "no-tlsv11", bind_parse_tls_method_options, 0 }, /* disable TLSv11 */
{ "no-tlsv12", bind_parse_tls_method_options, 0 }, /* disable TLSv12 */
+ { "no-tlsv13", bind_parse_tls_method_options, 0 }, /* disable TLSv13 */
{ "no-tls-tickets", bind_parse_no_tls_tickets, 0 }, /* disable session resumption tickets */
{ "ssl", bind_parse_ssl, 0 }, /* enable SSL processing */
{ "strict-sni", bind_parse_strict_sni, 0 }, /* refuse negotiation if sni doesn't match a certificate */
@@ -7407,6 +7426,7 @@
{ "force-tlsv10", srv_parse_tls_method_options,0, 1 }, /* force TLSv10 */
{ "force-tlsv11", srv_parse_tls_method_options,0, 1 }, /* force TLSv11 */
{ "force-tlsv12", srv_parse_tls_method_options,0, 1 }, /* force TLSv12 */
+ { "force-tlsv13", srv_parse_tls_method_options,0, 1 }, /* force TLSv13 */
{ "no-check-ssl", srv_parse_no_check_ssl, 0, 1 }, /* disable SSL for health checks */
{ "no-send-proxy-v2-ssl", srv_parse_no_send_proxy_ssl, 0, 1 }, /* do not send PROXY protocol header v2 with SSL info */
{ "no-send-proxy-v2-ssl-cn", srv_parse_no_send_proxy_cn, 0, 1 }, /* do not send PROXY protocol header v2 with CN */
@@ -7416,6 +7436,7 @@
{ "no-tlsv10", srv_parse_tls_method_options,0, 0 }, /* disable TLSv10 */
{ "no-tlsv11", srv_parse_tls_method_options,0, 0 }, /* disable TLSv11 */
{ "no-tlsv12", srv_parse_tls_method_options,0, 0 }, /* disable TLSv12 */
+ { "no-tlsv13", srv_parse_tls_method_options,0, 0 }, /* disable TLSv13 */
{ "no-tls-tickets", srv_parse_no_tls_tickets, 0, 1 }, /* disable session resumption tickets */
{ "send-proxy-v2-ssl", srv_parse_send_proxy_ssl, 0, 1 }, /* send PROXY protocol header v2 with SSL info */
{ "send-proxy-v2-ssl-cn", srv_parse_send_proxy_cn, 0, 1 }, /* send PROXY protocol header v2 with CN */