From 26344ae27d367577d0a2b0a38efae8358041df56 Mon Sep 17 00:00:00 2001
From: Rodrigo Arias Mallo <rodarima@gmail.com>
Date: Mon, 6 May 2024 21:30:59 +0200
Subject: Disable TLSv1.3 in MbedTLS 3.6.0 for now

In Mbed TLS 3.6.0 there is support for TLSv1.3 but it requires
special handling, so for now we disable it.

See: https://gitlab.alpinelinux.org/alpine/aports/-/commit/4dc36afaa81a4d73758b29fa77981d07dbae0080.patch
Fixes: https://github.com/dillo-browser/dillo/issues/158
---
 src/IO/tls_mbedtls.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

(limited to 'src/IO/tls_mbedtls.c')

diff --git a/src/IO/tls_mbedtls.c b/src/IO/tls_mbedtls.c
index fffa7bfe..fed7bd01 100644
--- a/src/IO/tls_mbedtls.c
+++ b/src/IO/tls_mbedtls.c
@@ -98,6 +98,12 @@ static Dlist *fd_map;
 
 static void Tls_handshake_cb(int fd, void *vconnkey);
 
+
+#if MBEDTLS_VERSION_NUMBER >= 0x03060000
+/* Moved to ssl_ciphersuites_internal.h in mbedtls 3.6.0 */
+int mbedtls_ssl_ciphersuite_uses_psk(const mbedtls_ssl_ciphersuite_t *info);
+#endif
+
 /*
  * Compare by FD.
  */
@@ -386,6 +392,15 @@ void a_Tls_mbedtls_init(void)
                                MBEDTLS_SSL_PRESET_DEFAULT);
    mbedtls_ssl_conf_cert_profile(&ssl_conf, &prof);
 
+   /*
+    * TLSv1.3 brings some changes, among them, having to call
+    * psa_crypto_init(), and a new way of resuming sessions,
+    * which is not currently supported by the code here.
+    */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+   mbedtls_ssl_conf_max_tls_version(&ssl_conf, MBEDTLS_SSL_VERSION_TLS1_2);
+#endif
+
    /*
     * There are security concerns surrounding session tickets --
     * wrecking forward security, for instance.
-- 
cgit v1.2.3