root
/
openssl
mirror of https://github.com/openssl/openssl.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity

Make the TLSv1.3 downgrade mechanism a configurable option 

Make it disabled by default. When TLSv1.3 is out of draft we can remove
this option and have it enabled all the time.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3022)
This commit is contained in:
Matt Caswell 2017-03-22 11:52:45 +00:00
parent c3043dcd55
commit 3556b83ea2
2 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Configure
View File

@ -407,6 +407,7 @@ my @disablables = (
"tests", "tests",
"threads", "threads",
"tls", "tls",
"tls13downgrade",
"ts", "ts",
"ubsan", "ubsan",
"ui", "ui",
@ -451,6 +452,7 @@ our %disabled = ( # "what" => "comment"
"ubsan" => "default", "ubsan" => "default",
#TODO(TLS1.3): Temporarily disabled while this is a WIP #TODO(TLS1.3): Temporarily disabled while this is a WIP
"tls1_3" => "default", "tls1_3" => "default",
"tls13downgrade" => "default",
"unit-test" => "default", "unit-test" => "default",
"weak-ssl-ciphers" => "default", "weak-ssl-ciphers" => "default",
"zlib" => "default", "zlib" => "default",

10
INSTALL
View File

@ -427,6 +427,16 @@
require additional system-dependent options! See "Note on require additional system-dependent options! See "Note on
multi-threading" below. multi-threading" below.
enable-tls13downgrade
TODO(TLS1.3): Make this enabled by default and remove the
option when TLSv1.3 is out of draft
TLSv1.3 offers a downgrade protection mechanism. This is
implemented but disabled by default. It should not typically
be enabled except for testing purposes. Otherwise this could
cause problems if a pre-RFC version of OpenSSL talks to an
RFC implementation (it will erroneously be detected as a
downgrade).
no-ts no-ts
Don't build Time Stamping Authority support. Don't build Time Stamping Authority support.