src: Enable TLS 1.3 with boringssl
This commit enables TLS 1.3 using latest boringssl. This doesn't compile with OpenSSL or libressl at the moment.
This commit is contained in:
Tatsuhiro Tsujikawa
parent
b1b8308555
commit
f1beff1e10
|
|
@ -2121,6 +2121,7 @@ int HttpServer::run() {
|
|||
SSL_CTX_set_options(ssl_ctx, ssl_opts);
|
||||
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
|
||||
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
|
||||
SSL_CTX_set_max_version(ssl_ctx, TLS1_3_VERSION);
|
||||
|
||||
if (SSL_CTX_set_cipher_list(ssl_ctx, ssl::DEFAULT_CIPHER_LIST) == 0) {
|
||||
std::cerr << ERR_error_string(ERR_get_error(), nullptr) << std::endl;
|
||||
|
|
|
|||
|
|
@ -2248,6 +2248,7 @@ int main(int argc, char **argv) {
|
|||
SSL_CTX_set_options(ssl_ctx, ssl_opts);
|
||||
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
|
||||
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
|
||||
SSL_CTX_set_max_version(ssl_ctx, TLS1_3_VERSION);
|
||||
|
||||
if (SSL_CTX_set_cipher_list(ssl_ctx, config.ciphers.c_str()) == 0) {
|
||||
std::cerr << "SSL_CTX_set_cipher_list with " << config.ciphers
|
||||
|
|
|
|||
|
|
@ -2212,6 +2212,7 @@ int communicate(
|
|||
SSL_CTX_set_options(ssl_ctx, ssl_opts);
|
||||
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
|
||||
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
|
||||
SSL_CTX_set_max_version(ssl_ctx, TLS1_3_VERSION);
|
||||
if (SSL_CTX_set_cipher_list(ssl_ctx, CIPHER_LIST) == 0) {
|
||||
std::cerr << "[ERROR] " << ERR_error_string(ERR_get_error(), nullptr)
|
||||
<< std::endl;
|
||||
|
|
|
|||
|
|
@ -634,6 +634,8 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
|
|||
|
||||
SSL_CTX_set_options(ssl_ctx, ssl_opts | tlsconf.tls_proto_mask);
|
||||
|
||||
SSL_CTX_set_max_proto_version(ssl_ctx, TLS1_3_VERSION);
|
||||
|
||||
const unsigned char sid_ctx[] = "shrpx";
|
||||
SSL_CTX_set_session_id_context(ssl_ctx, sid_ctx, sizeof(sid_ctx) - 1);
|
||||
SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_SERVER);
|
||||
|
|
@ -866,6 +868,8 @@ SSL_CTX *create_ssl_client_context(
|
|||
|
||||
SSL_CTX_set_options(ssl_ctx, ssl_opts | tlsconf.tls_proto_mask);
|
||||
|
||||
SSL_CTX_set_max_proto_version(ssl_ctx, TLS1_3_VERSION);
|
||||
|
||||
if (SSL_CTX_set_cipher_list(ssl_ctx, tlsconf.client.ciphers.c_str()) == 0) {
|
||||
LOG(FATAL) << "SSL_CTX_set_cipher_list " << tlsconf.client.ciphers
|
||||
<< " failed: " << ERR_error_string(ERR_get_error(), nullptr);
|
||||
|
|
|
|||
|
|
@ -83,6 +83,8 @@ const char *get_tls_protocol(SSL *ssl) {
|
|||
return "SSLv2";
|
||||
case SSL3_VERSION:
|
||||
return "SSLv3";
|
||||
case TLS1_3_VERSION:
|
||||
return "TLSv1.3";
|
||||
case TLS1_2_VERSION:
|
||||
return "TLSv1.2";
|
||||
case TLS1_1_VERSION:
|
||||
|
|
@ -140,7 +142,7 @@ bool check_http2_cipher_black_list(SSL *ssl) {
|
|||
bool check_http2_tls_version(SSL *ssl) {
|
||||
auto tls_ver = SSL_version(ssl);
|
||||
|
||||
return tls_ver == TLS1_2_VERSION;
|
||||
return tls_ver >= TLS1_2_VERSION;
|
||||
}
|
||||
|
||||
bool check_http2_requirement(SSL *ssl) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue