diff options
| author | Jeremy Evans <code@jeremyevans.net> | 2020-12-03 09:12:12 -0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-12-03 09:12:12 -0800 |
| commit | a0e98d48c91f2ffd8d3959e56ebe1aa2e45df11e (patch) | |
| tree | 8c30d7228eabaddc6f9bec83526c272fc1b92e85 /ext | |
| parent | 8c6cd23f2a83db1e9f310c8158add459a18b55ad (diff) | |
| download | ruby-openssl-a0e98d48c91f2ffd8d3959e56ebe1aa2e45df11e.tar.gz | |
Enhance TLS 1.3 support on LibreSSL 3.2/3.3
This defines TLS1_3_VERSION when using LibreSSL 3.2+. LibreSSL 3.2/3.3
doesn't advertise this by default, even though it will use TLS 1.3
in both client and server modes.
Changes between LibreSSL 3.1 and 3.2/3.3 broke a few tests, Defining
TLS1_3_VERSION by itself fixes 1 test failure. A few tests now
fail on LibreSSL 3.2/3.3 unless TLS 1.2 is set as the maximum version,
and this adjusts those tests. The client CA test doesn't work in
LibreSSL 3.2+, so I've marked that as pending.
For the hostname verification, LibreSSL 3.2.2+ has a new stricter
hostname verifier that doesn't like subjectAltName such as
c*.example.com and d.*.example.com, so adjust the related tests.
With these changes, the tests pass on LibreSSL 3.2/3.3.
Diffstat (limited to 'ext')
| -rw-r--r-- | ext/openssl/ossl_ssl.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c index 35cf305f..a02f02cb 100644 --- a/ext/openssl/ossl_ssl.c +++ b/ext/openssl/ossl_ssl.c @@ -13,6 +13,12 @@ #define numberof(ary) (int)(sizeof(ary)/sizeof((ary)[0])) +#if !defined(TLS1_3_VERSION) && \ + defined(LIBRESSL_VERSION_NUMBER) && \ + LIBRESSL_VERSION_NUMBER >= 0x3020000fL +# define TLS1_3_VERSION 0x0304 +#endif + #ifdef _WIN32 # define TO_SOCKET(s) _get_osfhandle(s) #else |