1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44
|
commit 4a495c61ce22c893aed5ee57f6ce0b43c3be59ad
Author: Frank Denis <github@pureftpd.org>
Date: Wed Sep 19 23:53:45 2018 +0200
TLS1.3 compatibility
Fixes #94
diff --git a/src/tls.c b/src/tls.c
index c693d3b..f383ed9 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -228,7 +228,16 @@ static void ssl_info_cb(const SSL *cnx, int where, int ret)
if ((where & SSL_CB_HANDSHAKE_START) != 0) {
if ((cnx == tls_cnx && tls_cnx_handshook != 0) ||
(cnx == tls_data_cnx && tls_data_cnx_handshook != 0)) {
- die(400, LOG_ERR, "TLS renegociation");
+ const SSL_CIPHER *cipher;
+ const char *cipher_version;
+ if ((cipher = SSL_get_current_cipher(cnx)) == NULL ||
+ (cipher_version = SSL_CIPHER_get_version(cipher)) == NULL) {
+ die(400, LOG_ERR, "No cipher");
+ }
+ if (strcmp(cipher_version, "TLSv1.3") != 0) {
+ die(400, LOG_ERR, "TLS renegociation");
+ return;
+ }
}
return;
}
@@ -264,10 +273,10 @@ int tls_init_library(void)
OpenSSL_add_all_algorithms();
# else
OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS |
- OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
+ OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS |
- OPENSSL_INIT_ADD_ALL_DIGESTS |
- OPENSSL_INIT_LOAD_CONFIG, NULL);
+ OPENSSL_INIT_ADD_ALL_DIGESTS |
+ OPENSSL_INIT_LOAD_CONFIG, NULL);
# endif
while (RAND_status() == 0) {
rnd = zrand();
|