Disable TLSv1.3 in MbedTLS 3.6.0 for now

In Mbed TLS 3.6.0 there is support for TLSv1.3 but it requires special handling, so for now we disable it. See: https://gitlab.alpinelinux.org/alpine/aports/-/commit/4dc36afaa81a4d73758b29fa77981d07dbae0080.patch Fixes: https://github.com/dillo-browser/dillo/issues/158
author: Rodrigo Arias Mallo <rodarima@gmail.com> 2024-05-06 21:30:59 +0200
committer: rodarima <rodarima@gmail.com> 2024-05-12 23:01:42 +0200
commit: 26344ae27d367577d0a2b0a38efae8358041df56 (patch)
tree: 2495163eb7983550c36e7eccd59f47079a55d41d /src/IO
parent: 6c5db261812b20534c277fb8c839a910e5d4eac3 (diff)
1 files changed, 15 insertions, 0 deletions
diff --git a/src/IO/tls_mbedtls.c b/src/IO/tls_mbedtls.c
index fffa7bfe..fed7bd01 100644
--- a/src/IO/tls_mbedtls.c
+++ b/src/IO/tls_mbedtls.c
@@ -98,6 +98,12 @@ static Dlist *fd_map;
 
 static void Tls_handshake_cb(int fd, void *vconnkey);
 
+
+#if MBEDTLS_VERSION_NUMBER >= 0x03060000
+/* Moved to ssl_ciphersuites_internal.h in mbedtls 3.6.0 */
+int mbedtls_ssl_ciphersuite_uses_psk(const mbedtls_ssl_ciphersuite_t *info);
+#endif
+
 /*
  * Compare by FD.
  */
@@ -387,6 +393,15 @@ void a_Tls_mbedtls_init(void)
    mbedtls_ssl_conf_cert_profile(&ssl_conf, &prof);
 
    /*
+    * TLSv1.3 brings some changes, among them, having to call
+    * psa_crypto_init(), and a new way of resuming sessions,
+    * which is not currently supported by the code here.
+    */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+   mbedtls_ssl_conf_max_tls_version(&ssl_conf, MBEDTLS_SSL_VERSION_TLS1_2);
+#endif
+
+   /*
     * There are security concerns surrounding session tickets --
     * wrecking forward security, for instance.
     */
author	Rodrigo Arias Mallo <rodarima@gmail.com>	2024-05-06 21:30:59 +0200
committer	rodarima <rodarima@gmail.com>	2024-05-12 23:01:42 +0200
commit	26344ae27d367577d0a2b0a38efae8358041df56 (patch)
tree	2495163eb7983550c36e7eccd59f47079a55d41d /src/IO
parent	6c5db261812b20534c277fb8c839a910e5d4eac3 (diff)