Enable TLS 1.3 #235
Enable TLS 1.3 #235
Conversation
src/imp/openssl.rs
Outdated
| @@ -54,7 +55,8 @@ fn supported_protocols( | |||
| | SslOptions::NO_SSLV3 | |||
| | SslOptions::NO_TLSV1 | |||
| | SslOptions::NO_TLSV1_1 | |||
| | SslOptions::NO_TLSV1_2; | |||
| | SslOptions::NO_TLSV1_2 | |||
| | SslOptions::NO_TLSV1_3; | |||
There was a problem hiding this comment.
OpenSSL versions too old for set_min_proto_version won't have TLSV1_3 support afaik.
There was a problem hiding this comment.
I'm not sure what you mean. The OpenSSL versions that don't have min protocol config are very old and no longer supported I think (< v1.1.0), while TLS1.3 was introduced at OpenSSL v1.1.1, also pretty old by now.
There was a problem hiding this comment.
This code is only used for old versions of OpenSSL that won't have a NO_TLSV1_3 symbol.
There was a problem hiding this comment.
I see. Didn't notice this is inside a #[cfg()] block.
|
What about Security.framework? |
|
Bumping the Rust version used in the CI builds should unbreak those. |
| @@ -32,6 +32,7 @@ fn supported_protocols( | |||
| Protocol::Tlsv10 => SslVersion::TLS1, | |||
| Protocol::Tlsv11 => SslVersion::TLS1_1, | |||
| Protocol::Tlsv12 => SslVersion::TLS1_2, | |||
| Protocol::Tlsv13 => SslVersion::TLS1_3, | |||
There was a problem hiding this comment.
I believe this will break compilation against OpenSSL 1.1.0, which has set_min_proto_version but does not have TLS 1.3 support. You'll need to add some extra version logic in the build script and here.
There was a problem hiding this comment.
What about a feature flag? Feels like this could get merged quicker by letting the users decide
|
Any update on this? |
|
Is this blocked on putting it behind a feature flag, to maintain compatibility with OpenSSL 1.1.0, or is something else keeping it stuck? |
Retry of #159