Disable TLSv1.3 in MbedTLS 3.6.0 for now

In Mbed TLS 3.6.0 there is support for TLSv1.3 but it requires
special handling, so for now we disable it.

See: https://gitlab.alpinelinux.org/alpine/aports/-/commit/4dc36afaa81a4d73758b29fa77981d07dbae0080.patch
Fixes: https://github.com/dillo-browser/dillo/issues/158

1 files changed, 15 insertions, 0 deletions

diff --git a/src/IO/tls_mbedtls.c b/src/IO/tls_mbedtls.c
index fffa7bfe..fed7bd01 100644
--- a/src/IO/tls_mbedtls.c
+++ b/src/IO/tls_mbedtls.c
@@ -98,6 +98,12 @@ static Dlist *fd_map;
 
 static void Tls_handshake_cb(int fd, void *vconnkey);
 
+
+#if MBEDTLS_VERSION_NUMBER >= 0x03060000
+/* Moved to ssl_ciphersuites_internal.h in mbedtls 3.6.0 */
+int mbedtls_ssl_ciphersuite_uses_psk(const mbedtls_ssl_ciphersuite_t *info);
+#endif
+
 /*
  * Compare by FD.
  */
@@ -387,6 +393,15 @@ void a_Tls_mbedtls_init(void)
    mbedtls_ssl_conf_cert_profile(&ssl_conf, &prof);
 
    /*
+    * TLSv1.3 brings some changes, among them, having to call
+    * psa_crypto_init(), and a new way of resuming sessions,
+    * which is not currently supported by the code here.
+    */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+   mbedtls_ssl_conf_max_tls_version(&ssl_conf, MBEDTLS_SSL_VERSION_TLS1_2);
+#endif
+
+   /*
     * There are security concerns surrounding session tickets --
     * wrecking forward security, for instance.
     */