src: Enable TLS 1.3 with boringssl

This commit enables TLS 1.3 using latest boringssl.  This doesn't
compile with OpenSSL or libressl at the moment.
This commit is contained in:
Tatsuhiro Tsujikawa 2017-01-02 11:53:29 +09:00
parent b1b8308555
commit f1beff1e10
5 changed files with 10 additions and 1 deletions

View File

@ -2121,6 +2121,7 @@ int HttpServer::run() {
SSL_CTX_set_options(ssl_ctx, ssl_opts); SSL_CTX_set_options(ssl_ctx, ssl_opts);
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY); SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS); SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
SSL_CTX_set_max_version(ssl_ctx, TLS1_3_VERSION);
if (SSL_CTX_set_cipher_list(ssl_ctx, ssl::DEFAULT_CIPHER_LIST) == 0) { if (SSL_CTX_set_cipher_list(ssl_ctx, ssl::DEFAULT_CIPHER_LIST) == 0) {
std::cerr << ERR_error_string(ERR_get_error(), nullptr) << std::endl; std::cerr << ERR_error_string(ERR_get_error(), nullptr) << std::endl;

View File

@ -2248,6 +2248,7 @@ int main(int argc, char **argv) {
SSL_CTX_set_options(ssl_ctx, ssl_opts); SSL_CTX_set_options(ssl_ctx, ssl_opts);
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY); SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS); SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
SSL_CTX_set_max_version(ssl_ctx, TLS1_3_VERSION);
if (SSL_CTX_set_cipher_list(ssl_ctx, config.ciphers.c_str()) == 0) { if (SSL_CTX_set_cipher_list(ssl_ctx, config.ciphers.c_str()) == 0) {
std::cerr << "SSL_CTX_set_cipher_list with " << config.ciphers std::cerr << "SSL_CTX_set_cipher_list with " << config.ciphers

View File

@ -2212,6 +2212,7 @@ int communicate(
SSL_CTX_set_options(ssl_ctx, ssl_opts); SSL_CTX_set_options(ssl_ctx, ssl_opts);
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY); SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS); SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
SSL_CTX_set_max_version(ssl_ctx, TLS1_3_VERSION);
if (SSL_CTX_set_cipher_list(ssl_ctx, CIPHER_LIST) == 0) { if (SSL_CTX_set_cipher_list(ssl_ctx, CIPHER_LIST) == 0) {
std::cerr << "[ERROR] " << ERR_error_string(ERR_get_error(), nullptr) std::cerr << "[ERROR] " << ERR_error_string(ERR_get_error(), nullptr)
<< std::endl; << std::endl;

View File

@ -634,6 +634,8 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
SSL_CTX_set_options(ssl_ctx, ssl_opts | tlsconf.tls_proto_mask); SSL_CTX_set_options(ssl_ctx, ssl_opts | tlsconf.tls_proto_mask);
SSL_CTX_set_max_proto_version(ssl_ctx, TLS1_3_VERSION);
const unsigned char sid_ctx[] = "shrpx"; const unsigned char sid_ctx[] = "shrpx";
SSL_CTX_set_session_id_context(ssl_ctx, sid_ctx, sizeof(sid_ctx) - 1); SSL_CTX_set_session_id_context(ssl_ctx, sid_ctx, sizeof(sid_ctx) - 1);
SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_SERVER); SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_SERVER);
@ -866,6 +868,8 @@ SSL_CTX *create_ssl_client_context(
SSL_CTX_set_options(ssl_ctx, ssl_opts | tlsconf.tls_proto_mask); SSL_CTX_set_options(ssl_ctx, ssl_opts | tlsconf.tls_proto_mask);
SSL_CTX_set_max_proto_version(ssl_ctx, TLS1_3_VERSION);
if (SSL_CTX_set_cipher_list(ssl_ctx, tlsconf.client.ciphers.c_str()) == 0) { if (SSL_CTX_set_cipher_list(ssl_ctx, tlsconf.client.ciphers.c_str()) == 0) {
LOG(FATAL) << "SSL_CTX_set_cipher_list " << tlsconf.client.ciphers LOG(FATAL) << "SSL_CTX_set_cipher_list " << tlsconf.client.ciphers
<< " failed: " << ERR_error_string(ERR_get_error(), nullptr); << " failed: " << ERR_error_string(ERR_get_error(), nullptr);

View File

@ -83,6 +83,8 @@ const char *get_tls_protocol(SSL *ssl) {
return "SSLv2"; return "SSLv2";
case SSL3_VERSION: case SSL3_VERSION:
return "SSLv3"; return "SSLv3";
case TLS1_3_VERSION:
return "TLSv1.3";
case TLS1_2_VERSION: case TLS1_2_VERSION:
return "TLSv1.2"; return "TLSv1.2";
case TLS1_1_VERSION: case TLS1_1_VERSION:
@ -140,7 +142,7 @@ bool check_http2_cipher_black_list(SSL *ssl) {
bool check_http2_tls_version(SSL *ssl) { bool check_http2_tls_version(SSL *ssl) {
auto tls_ver = SSL_version(ssl); auto tls_ver = SSL_version(ssl);
return tls_ver == TLS1_2_VERSION; return tls_ver >= TLS1_2_VERSION;
} }
bool check_http2_requirement(SSL *ssl) { bool check_http2_requirement(SSL *ssl) {