aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--ChangeLog4
-rw-r--r--doc/install.md7
-rw-r--r--src/IO/tls_mbedtls.c15
3 files changed, 23 insertions, 3 deletions
diff --git a/ChangeLog b/ChangeLog
index 84582fcb..a0f932ae 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -6,6 +6,10 @@ Here we list changes that are relatively significant and/or visible to the
user. For a history of changes in full detail, see our Git repository
at https://github.com/dillo-browser/dillo
+dillo-3.1.1 [not released yet]
+
++- Disable TLSv1.3 in Mbed TLS 3.6.0 until it is supported.
+ Patches: Rodrigo Arias Mallo <rodarima@gmail.com>
dillo-3.1.0 [May 4, 2024]
diff --git a/doc/install.md b/doc/install.md
index e5bce883..344cff01 100644
--- a/doc/install.md
+++ b/doc/install.md
@@ -21,12 +21,13 @@ library to browse HTTPS pages. Currently, Dillo supports any of the
following libraries:
- OpenSSL 1.1 or 3
- - mbedTLS 2 or 3
+ - LibreSSL
+ - mbedTLS 2 or 3 (TLSv1.3 is not supported yet)
If you don't want to use a TLS library, use the configure option
`--disable-tls` to disable TLS support. You can use `--disable-openssl`
-and `--disable-mbedtls` to control the search. By default OpenSSL is
-search first, then mbedTLS.
+and `--disable-mbedtls` to control the search. By default OpenSSL or
+LibreSSL is search first, then mbedTLS.
For Debian, you can use the following command to install the required
packages to build Dillo:
diff --git a/src/IO/tls_mbedtls.c b/src/IO/tls_mbedtls.c
index fffa7bfe..fed7bd01 100644
--- a/src/IO/tls_mbedtls.c
+++ b/src/IO/tls_mbedtls.c
@@ -98,6 +98,12 @@ static Dlist *fd_map;
static void Tls_handshake_cb(int fd, void *vconnkey);
+
+#if MBEDTLS_VERSION_NUMBER >= 0x03060000
+/* Moved to ssl_ciphersuites_internal.h in mbedtls 3.6.0 */
+int mbedtls_ssl_ciphersuite_uses_psk(const mbedtls_ssl_ciphersuite_t *info);
+#endif
+
/*
* Compare by FD.
*/
@@ -387,6 +393,15 @@ void a_Tls_mbedtls_init(void)
mbedtls_ssl_conf_cert_profile(&ssl_conf, &prof);
/*
+ * TLSv1.3 brings some changes, among them, having to call
+ * psa_crypto_init(), and a new way of resuming sessions,
+ * which is not currently supported by the code here.
+ */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ mbedtls_ssl_conf_max_tls_version(&ssl_conf, MBEDTLS_SSL_VERSION_TLS1_2);
+#endif
+
+ /*
* There are security concerns surrounding session tickets --
* wrecking forward security, for instance.
*/