diff options
| author | Rodrigo Arias Mallo <rodarima@gmail.com> | 2024-05-06 21:30:59 +0200 |
|---|---|---|
| committer | rodarima <rodarima@gmail.com> | 2024-05-12 23:01:42 +0200 |
| commit | 26344ae27d367577d0a2b0a38efae8358041df56 (patch) | |
| tree | 2495163eb7983550c36e7eccd59f47079a55d41d | |
| parent | 6c5db261812b20534c277fb8c839a910e5d4eac3 (diff) | |
Disable TLSv1.3 in MbedTLS 3.6.0 for now
In Mbed TLS 3.6.0 there is support for TLSv1.3 but it requires
special handling, so for now we disable it.
See: https://gitlab.alpinelinux.org/alpine/aports/-/commit/4dc36afaa81a4d73758b29fa77981d07dbae0080.patch
Fixes: https://github.com/dillo-browser/dillo/issues/158
| -rw-r--r-- | ChangeLog | 4 | ||||
| -rw-r--r-- | doc/install.md | 7 | ||||
| -rw-r--r-- | src/IO/tls_mbedtls.c | 15 |
3 files changed, 23 insertions, 3 deletions
@@ -6,6 +6,10 @@ Here we list changes that are relatively significant and/or visible to the user. For a history of changes in full detail, see our Git repository at https://github.com/dillo-browser/dillo +dillo-3.1.1 [not released yet] + ++- Disable TLSv1.3 in Mbed TLS 3.6.0 until it is supported. + Patches: Rodrigo Arias Mallo <rodarima@gmail.com> dillo-3.1.0 [May 4, 2024] diff --git a/doc/install.md b/doc/install.md index e5bce883..344cff01 100644 --- a/doc/install.md +++ b/doc/install.md @@ -21,12 +21,13 @@ library to browse HTTPS pages. Currently, Dillo supports any of the following libraries: - OpenSSL 1.1 or 3 - - mbedTLS 2 or 3 + - LibreSSL + - mbedTLS 2 or 3 (TLSv1.3 is not supported yet) If you don't want to use a TLS library, use the configure option `--disable-tls` to disable TLS support. You can use `--disable-openssl` -and `--disable-mbedtls` to control the search. By default OpenSSL is -search first, then mbedTLS. +and `--disable-mbedtls` to control the search. By default OpenSSL or +LibreSSL is search first, then mbedTLS. For Debian, you can use the following command to install the required packages to build Dillo: diff --git a/src/IO/tls_mbedtls.c b/src/IO/tls_mbedtls.c index fffa7bfe..fed7bd01 100644 --- a/src/IO/tls_mbedtls.c +++ b/src/IO/tls_mbedtls.c @@ -98,6 +98,12 @@ static Dlist *fd_map; static void Tls_handshake_cb(int fd, void *vconnkey); + +#if MBEDTLS_VERSION_NUMBER >= 0x03060000 +/* Moved to ssl_ciphersuites_internal.h in mbedtls 3.6.0 */ +int mbedtls_ssl_ciphersuite_uses_psk(const mbedtls_ssl_ciphersuite_t *info); +#endif + /* * Compare by FD. */ @@ -387,6 +393,15 @@ void a_Tls_mbedtls_init(void) mbedtls_ssl_conf_cert_profile(&ssl_conf, &prof); /* + * TLSv1.3 brings some changes, among them, having to call + * psa_crypto_init(), and a new way of resuming sessions, + * which is not currently supported by the code here. + */ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + mbedtls_ssl_conf_max_tls_version(&ssl_conf, MBEDTLS_SSL_VERSION_TLS1_2); +#endif + + /* * There are security concerns surrounding session tickets -- * wrecking forward security, for instance. */ |