Overview
Comment: | Changed to only allow SSL2 and SSL3 to be manually enabled. See RFC 8996, Deprecating TLS 1.0 and TLS 1.1. Also see NIST SP 800-52r2 which requires TLS 1.2 and TLS 1.3, should not use TLS 1.1, and shall not use TLS 1.0, SSL 3.0, or SSL 2.0. |
---|---|
Downloads: | Tarball | ZIP archive | SQL archive |
Timelines: | family | ancestors | descendants | both | trunk |
Files: | files | file ages | folders |
SHA3-256: |
9d1bdab9a6e7e00285ae227380c9136a |
User & Date: | bohagan on 2023-09-02 20:03:56 |
Other Links: | manifest | tags |
Context
2023-09-02
| ||
21:13 | Set automatic curve selection for ECDH temporary keys used during key exchange. Used to make a server always choose the most appropriate curve for a client. Disable compression even if supported. check-in: 1dbae1afec user: bohagan tags: trunk | |
20:03 | Changed to only allow SSL2 and SSL3 to be manually enabled. See RFC 8996, Deprecating TLS 1.0 and TLS 1.1. Also see NIST SP 800-52r2 which requires TLS 1.2 and TLS 1.3, should not use TLS 1.1, and shall not use TLS 1.0, SSL 3.0, or SSL 2.0. check-in: 9d1bdab9a6 user: bohagan tags: trunk | |
2023-09-01
| ||
21:57 | Merged status and X509 updates branch into master check-in: 3432ab03a3 user: bohagan tags: trunk | |
Changes
Modified generic/tls.c
from [18bce24fbb]
to [a404941892].
︙ | ︙ | |||
1268 1269 1270 1271 1272 1273 1274 | int ssl2 = 0, ssl3 = 0; int tls1 = 1, tls1_1 = 1, tls1_2 = 1, tls1_3 = 1; int proto = 0, level = -1; int verify = 0, require = 0, request = 1, post_handshake = 0; dprintf("Called"); | < < < < < < | 1268 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 | int ssl2 = 0, ssl3 = 0; int tls1 = 1, tls1_1 = 1, tls1_2 = 1, tls1_3 = 1; int proto = 0, level = -1; int verify = 0, require = 0, request = 1, post_handshake = 0; dprintf("Called"); #if defined(NO_TLS1) || defined(OPENSSL_NO_TLS1) tls1 = 0; #endif #if defined(NO_TLS1_1) || defined(OPENSSL_NO_TLS1_1) tls1_1 = 0; #endif #if defined(NO_TLS1_2) || defined(OPENSSL_NO_TLS1_2) |
︙ | ︙ | |||
1754 1755 1756 1757 1758 1759 1760 1761 1762 1763 1764 1765 1766 1767 | #endif #if defined(NO_TLS1_3) || defined(OPENSSL_NO_TLS1_3) if (ENABLED(proto, TLS_PROTO_TLS1_3)) { Tcl_AppendResult(interp, "TLS 1.3 protocol not supported", NULL); return NULL; } #endif switch (proto) { #if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(NO_SSL2) && !defined(OPENSSL_NO_SSL2) case TLS_PROTO_SSL2: method = isServer ? SSLv2_server_method() : SSLv2_client_method(); break; #endif | > > > > > | 1748 1749 1750 1751 1752 1753 1754 1755 1756 1757 1758 1759 1760 1761 1762 1763 1764 1765 1766 | #endif #if defined(NO_TLS1_3) || defined(OPENSSL_NO_TLS1_3) if (ENABLED(proto, TLS_PROTO_TLS1_3)) { Tcl_AppendResult(interp, "TLS 1.3 protocol not supported", NULL); return NULL; } #endif if (proto == 0) { /* Use full range */ SSL_CTX_set_min_proto_version(ctx, 0); SSL_CTX_set_max_proto_version(ctx, 0); } switch (proto) { #if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(NO_SSL2) && !defined(OPENSSL_NO_SSL2) case TLS_PROTO_SSL2: method = isServer ? SSLv2_server_method() : SSLv2_client_method(); break; #endif |
︙ | ︙ |