-
-
Notifications
You must be signed in to change notification settings - Fork 205
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable TLS 1.3 #235
base: master
Are you sure you want to change the base?
Enable TLS 1.3 #235
Conversation
src/imp/openssl.rs
Outdated
@@ -54,7 +55,8 @@ fn supported_protocols( | |||
| SslOptions::NO_SSLV3 | |||
| SslOptions::NO_TLSV1 | |||
| SslOptions::NO_TLSV1_1 | |||
| SslOptions::NO_TLSV1_2; | |||
| SslOptions::NO_TLSV1_2 | |||
| SslOptions::NO_TLSV1_3; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OpenSSL versions too old for set_min_proto_version won't have TLSV1_3 support afaik.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure what you mean. The OpenSSL versions that don't have min protocol config are very old and no longer supported I think (< v1.1.0), while TLS1.3 was introduced at OpenSSL v1.1.1, also pretty old by now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This code is only used for old versions of OpenSSL that won't have a NO_TLSV1_3
symbol.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see. Didn't notice this is inside a #[cfg()]
block.
What about Security.framework? |
Bumping the Rust version used in the CI builds should unbreak those. |
@@ -32,6 +32,7 @@ fn supported_protocols( | |||
Protocol::Tlsv10 => SslVersion::TLS1, | |||
Protocol::Tlsv11 => SslVersion::TLS1_1, | |||
Protocol::Tlsv12 => SslVersion::TLS1_2, | |||
Protocol::Tlsv13 => SslVersion::TLS1_3, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe this will break compilation against OpenSSL 1.1.0, which has set_min_proto_version but does not have TLS 1.3 support. You'll need to add some extra version logic in the build script and here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about a feature flag? Feels like this could get merged quicker by letting the users decide
Any update on this? |
Is this blocked on putting it behind a feature flag, to maintain compatibility with OpenSSL 1.1.0, or is something else keeping it stuck? |
Retry of #159