src: Enable TLS 1.3 with boringssl

This commit enables TLS 1.3 using latest boringssl. This doesn't compile with OpenSSL or libressl at the moment.

src: Enable TLS 1.3 with boringssl
This commit enables TLS 1.3 using latest boringssl. This doesn't compile with OpenSSL or libressl at the moment.
f1beff1e · Tatsuhiro Tsujikawa · b1b83085 · f1beff1e · f1beff1e · f1beff1e
Commit f1beff1e authored Jan 02, 2017 by Tatsuhiro Tsujikawa
Showing with 10 additions and 1 deletion

src/HttpServer.cc src/HttpServer.cc +1 -0

src/h2load.cc src/h2load.cc +1 -0

src/nghttp.cc src/nghttp.cc +1 -0

src/shrpx_ssl.cc src/shrpx_ssl.cc +4 -0

src/ssl.cc src/ssl.cc +3 -1

No files found.
--- a/src/HttpServer.cc
+++ b/src/HttpServer.cc
@@ -2121,6 +2121,7 @@ int HttpServer::run() {
    SSL_CTX_set_options(ssl_ctx, ssl_opts);
    SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
    SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
+    SSL_CTX_set_max_version(ssl_ctx, TLS1_3_VERSION);
    if (SSL_CTX_set_cipher_list(ssl_ctx, ssl::DEFAULT_CIPHER_LIST) == 0) {
      std::cerr << ERR_error_string(ERR_get_error(), nullptr) << std::endl;

--- a/src/h2load.cc
+++ b/src/h2load.cc
@@ -2248,6 +2248,7 @@ int main(int argc, char **argv) {
  SSL_CTX_set_options(ssl_ctx, ssl_opts);
  SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
  SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
+  SSL_CTX_set_max_version(ssl_ctx, TLS1_3_VERSION);
  if (SSL_CTX_set_cipher_list(ssl_ctx, config.ciphers.c_str()) == 0) {
    std::cerr << "SSL_CTX_set_cipher_list with " << config.ciphers

--- a/src/nghttp.cc
+++ b/src/nghttp.cc
@@ -2212,6 +2212,7 @@ int communicate(
    SSL_CTX_set_options(ssl_ctx, ssl_opts);
    SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
    SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
+    SSL_CTX_set_max_version(ssl_ctx, TLS1_3_VERSION);
    if (SSL_CTX_set_cipher_list(ssl_ctx, CIPHER_LIST) == 0) {
      std::cerr << "[ERROR] " << ERR_error_string(ERR_get_error(), nullptr)
                << std::endl;

--- a/src/shrpx_ssl.cc
+++ b/src/shrpx_ssl.cc
@@ -634,6 +634,8 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
  SSL_CTX_set_options(ssl_ctx, ssl_opts | tlsconf.tls_proto_mask);
+  SSL_CTX_set_max_proto_version(ssl_ctx, TLS1_3_VERSION);
  const unsigned char sid_ctx[] = "shrpx";
  SSL_CTX_set_session_id_context(ssl_ctx, sid_ctx, sizeof(sid_ctx) - 1);
  SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_SERVER);
@@ -866,6 +868,8 @@ SSL_CTX *create_ssl_client_context(
  SSL_CTX_set_options(ssl_ctx, ssl_opts | tlsconf.tls_proto_mask);
+  SSL_CTX_set_max_proto_version(ssl_ctx, TLS1_3_VERSION);
  if (SSL_CTX_set_cipher_list(ssl_ctx, tlsconf.client.ciphers.c_str()) == 0) {
    LOG(FATAL) << "SSL_CTX_set_cipher_list " << tlsconf.client.ciphers
               << " failed: " << ERR_error_string(ERR_get_error(), nullptr);

--- a/src/ssl.cc
+++ b/src/ssl.cc
@@ -83,6 +83,8 @@ const char *get_tls_protocol(SSL *ssl) {
    return "SSLv2";
  case SSL3_VERSION:
    return "SSLv3";
+  case TLS1_3_VERSION:
+    return "TLSv1.3";
  case TLS1_2_VERSION:
    return "TLSv1.2";
  case TLS1_1_VERSION:
@@ -140,7 +142,7 @@ bool check_http2_cipher_black_list(SSL *ssl) {
 bool check_http2_tls_version(SSL *ssl) {
  auto tls_ver = SSL_version(ssl);
-  return tls_ver == TLS1_2_VERSION;
+  return tls_ver >= TLS1_2_VERSION;
 }
 bool check_http2_requirement(SSL *ssl) {