+++ /dev/null
-commit 4a495c61ce22c893aed5ee57f6ce0b43c3be59ad
-Author: Frank Denis <github@pureftpd.org>
-Date: Wed Sep 19 23:53:45 2018 +0200
-
- TLS1.3 compatibility
-
- Fixes #94
-
-diff --git a/src/tls.c b/src/tls.c
-index c693d3b..f383ed9 100644
---- a/src/tls.c
-+++ b/src/tls.c
-@@ -228,7 +228,16 @@ static void ssl_info_cb(const SSL *cnx, int where, int ret)
- if ((where & SSL_CB_HANDSHAKE_START) != 0) {
- if ((cnx == tls_cnx && tls_cnx_handshook != 0) ||
- (cnx == tls_data_cnx && tls_data_cnx_handshook != 0)) {
-- die(400, LOG_ERR, "TLS renegociation");
-+ const SSL_CIPHER *cipher;
-+ const char *cipher_version;
-+ if ((cipher = SSL_get_current_cipher(cnx)) == NULL ||
-+ (cipher_version = SSL_CIPHER_get_version(cipher)) == NULL) {
-+ die(400, LOG_ERR, "No cipher");
-+ }
-+ if (strcmp(cipher_version, "TLSv1.3") != 0) {
-+ die(400, LOG_ERR, "TLS renegociation");
-+ return;
-+ }
- }
- return;
- }
-@@ -264,10 +273,10 @@ int tls_init_library(void)
- OpenSSL_add_all_algorithms();
- # else
- OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS |
-- OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
-+ OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
- OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS |
-- OPENSSL_INIT_ADD_ALL_DIGESTS |
-- OPENSSL_INIT_LOAD_CONFIG, NULL);
-+ OPENSSL_INIT_ADD_ALL_DIGESTS |
-+ OPENSSL_INIT_LOAD_CONFIG, NULL);
- # endif
- while (RAND_status() == 0) {
- rnd = zrand();
-commit aa68b2d620ef0c83c7f52213c7e6093722b0b8bd
-Author: Frank Denis <github@pureftpd.org>
-Date: Wed Oct 24 19:19:26 2018 +0200
-
- Disable TLSv1_1
-
-diff --git a/src/tls.c b/src/tls.c
-index f383ed9..c4e2a1b 100644
---- a/src/tls.c
-+++ b/src/tls.c
-@@ -297,7 +297,7 @@ int tls_init_library(void)
- SSL_CTX_set_options(tls_ctx, SSL_OP_NO_TLSv1);
- # endif
- # ifdef SSL_OP_NO_TLSv1_1
-- SSL_CTX_clear_options(tls_ctx, SSL_OP_NO_TLSv1_1);
-+ SSL_CTX_set_options(tls_ctx, SSL_OP_NO_TLSv1_1);
- # endif
- # ifdef SSL_OP_NO_TLSv1_2
- SSL_CTX_clear_options(tls_ctx, SSL_OP_NO_TLSv1_2);