summaryrefslogtreecommitdiff
path: root/ext/openssl
diff options
context:
space:
mode:
authorJeremy Evans <code@jeremyevans.net>2020-12-03 09:12:12 -0800
committerKazuki Yamaguchi <k@rhe.jp>2021-03-16 19:37:06 +0900
commite2ce3830447b95fbb7d9b8dff80b8c1716688da0 (patch)
treed7873e50522a7ae01c3510d73e6b33fda0d00175 /ext/openssl
parent4756ac00b7c016dfd85b69720486141a7c78d661 (diff)
[ruby/openssl] Enhance TLS 1.3 support on LibreSSL 3.2/3.3
This defines TLS1_3_VERSION when using LibreSSL 3.2+. LibreSSL 3.2/3.3 doesn't advertise this by default, even though it will use TLS 1.3 in both client and server modes. Changes between LibreSSL 3.1 and 3.2/3.3 broke a few tests, Defining TLS1_3_VERSION by itself fixes 1 test failure. A few tests now fail on LibreSSL 3.2/3.3 unless TLS 1.2 is set as the maximum version, and this adjusts those tests. The client CA test doesn't work in LibreSSL 3.2+, so I've marked that as pending. For the hostname verification, LibreSSL 3.2.2+ has a new stricter hostname verifier that doesn't like subjectAltName such as c*.example.com and d.*.example.com, so adjust the related tests. With these changes, the tests pass on LibreSSL 3.2/3.3. https://github.com/ruby/openssl/commit/a0e98d48c9
Notes
Notes: Merged: https://github.com/ruby/ruby/pull/4275
Diffstat (limited to 'ext/openssl')
-rw-r--r--ext/openssl/ossl_ssl.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
index dfe0944a3e..c38142bfcc 100644
--- a/ext/openssl/ossl_ssl.c
+++ b/ext/openssl/ossl_ssl.c
@@ -13,6 +13,12 @@
#define numberof(ary) (int)(sizeof(ary)/sizeof((ary)[0]))
+#if !defined(TLS1_3_VERSION) && \
+ defined(LIBRESSL_VERSION_NUMBER) && \
+ LIBRESSL_VERSION_NUMBER >= 0x3020000fL
+# define TLS1_3_VERSION 0x0304
+#endif
+
#ifdef _WIN32
# define TO_SOCKET(s) _get_osfhandle(s)
#else