Add TLSv1.3 support

Actually, TLSv1.3 will be enabled without this change if xrdp is compiled with OpenSSL or alternatives which support TLSv1.3. This commit makes to enable or disable TLSv1.3 explicitly. Also, this commit adds a log "TLSv1.3 enabled by config, but not supported by system OpenSSL". if xrdp installation doesn't support TLSv1.3. It should be user-friendly.
7 years ago · 74497752dc
parent 98e8cec83d
commit 74497752dc
1 changed files with 15 additions and 0 deletions
--- a/common/ssl_calls.c
+++ b/common/ssl_calls.c
@ -1004,8 +1004,23 @@ ssl_get_protocols_from_string(const char *str, long *ssl_protocols)
 #endif
 #if defined(SSL_OP_NO_TLSv1_2)
    protocols |= SSL_OP_NO_TLSv1_2;
+#endif
+#if defined(SSL_OP_NO_TLSv1_3)
+    protocols |= SSL_OP_NO_TLSv1_3;
 #endif
    bad_protocols = protocols;
+    if (g_pos(str, ",TLSv1.3,") >= 0)
+    {
+#if defined(SSL_OP_NO_TLSv1_3)
+        log_message(LOG_LEVEL_DEBUG, "TLSv1.3 enabled");
+        protocols &= ~SSL_OP_NO_TLSv1_3;
+#else
+        log_message(LOG_LEVEL_WARNING,
+                    "TLSv1.3 enabled by config, "
+                    "but not supported by system OpenSSL");
+        rv |= (1 << 6);
+#endif
+    }
    if (g_pos(str, ",TLSv1.2,") >= 0)
    {
 #if defined(SSL_OP_NO_TLSv1_2)