EAP-TLS: Extend TLS version config to allow TLS v1.3 to be disabled

This may be needed to avoid interoperability issues with the new protocol version and significant changes for EAP use cases in both key derivation and handshake termination. Signed-off-by: Jouni Malinen <j@w1.fi>
2018-05-01 21:52:45 +03:00 · 2018-05-01 21:52:45 +03:00 · bbbc7e8016
commit bbbc7e8016
parent 0d34c13a72
5 changed files with 15 additions and 0 deletions
--- a/src/crypto/tls.h
+++ b/src/crypto/tls.h
@ -101,6 +101,7 @@ struct tls_config {
 #define TLS_CONN_REQUIRE_OCSP_ALL BIT(10)
 #define TLS_CONN_SUITEB BIT(11)
 #define TLS_CONN_SUITEB_NO_ECDH BIT(12)
+#define TLS_CONN_DISABLE_TLSv1_3 BIT(13)

 /**
 * struct tls_connection_params - Parameters for TLS connection
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@ -2470,6 +2470,12 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
 	else
 		SSL_clear_options(ssl, SSL_OP_NO_TLSv1_2);
 #endif /* SSL_OP_NO_TLSv1_2 */
+#ifdef SSL_OP_NO_TLSv1_3
+	if (flags & TLS_CONN_DISABLE_TLSv1_3)
+		SSL_set_options(ssl, SSL_OP_NO_TLSv1_3);
+	else
+		SSL_clear_options(ssl, SSL_OP_NO_TLSv1_3);
+#endif /* SSL_OP_NO_TLSv1_3 */
 #ifdef CONFIG_SUITEB
 #ifdef OPENSSL_IS_BORINGSSL
 	/* Start with defaults from BoringSSL */