On the trunk:

mod_ssl: add support for TLSv1.3 (tested with OpenSSL v1.1.1-pre3, other libs may need more sugar). git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1827912 13f79535-47bb-0310-9956-ffa450edef68
2025-08-08 15:02:10 +03:00 · 2018-03-28 11:15:18 +00:00
parent e94ac9326f
commit 2ab41d39d8
6 changed files with 43 additions and 6 deletions
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -601,6 +601,9 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
 #ifdef HAVE_TLSV1_X
                     (protocol & SSL_PROTOCOL_TLSV1_1 ? "TLSv1.1, " : ""),
                     (protocol & SSL_PROTOCOL_TLSV1_2 ? "TLSv1.2, " : ""),
+#if SSL_HAVE_PROTOCOL_TLSV1_3
+                     (protocol & SSL_PROTOCOL_TLSV1_3 ? "TLSv1.3, " : ""),
+#endif
 #endif
                     NULL);
    cp[strlen(cp)-2] = NUL;
@@ -633,6 +636,13 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
            TLSv1_2_client_method() : /* proxy */
            TLSv1_2_server_method();  /* server */
    }
+#ifdef SSL_OP_NO_TLSv1_3
+    else if (protocol == SSL_PROTOCOL_TLSV1_3) {
+        method = mctx->pkp ?
+            TLSv1_3_client_method() : /* proxy */
+            TLSv1_3_server_method();  /* server */
+    }
+#endif
 #endif
    else { /* For multiple protocols, we need a flexible method */
        method = mctx->pkp ?
@@ -667,11 +677,17 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,

    ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_TLSv1_2,
                                protocol & SSL_PROTOCOL_TLSV1_2, "TLSv1.2");
+#ifdef SSL_OP_NO_TLSv1_3
+    ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_TLSv1_3,
+                                protocol & SSL_PROTOCOL_TLSV1_3, "TLSv1.3");
+#endif
 #endif

 #else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
    /* We first determine the maximum protocol version we should provide */
-    if (protocol & SSL_PROTOCOL_TLSV1_2) {
+    if (SSL_HAVE_PROTOCOL_TLSV1_3 && (protocol & SSL_PROTOCOL_TLSV1_3)) {
+        prot = TLS1_3_VERSION;
+    } else  if (protocol & SSL_PROTOCOL_TLSV1_2) {
        prot = TLS1_2_VERSION;
    } else if (protocol & SSL_PROTOCOL_TLSV1_1) {
        prot = TLS1_1_VERSION;
@@ -692,6 +708,9 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,

    /* Next we scan for the minimal protocol version we should provide,
     * but we do not allow holes between max and min */
+    if (prot == TLS1_3_VERSION && protocol & SSL_PROTOCOL_TLSV1_2) {
+        prot = TLS1_2_VERSION;
+    }
    if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) {
        prot = TLS1_1_VERSION;
    }