Blob Blame Raw
--- postfix-3.3.1/man/man5/postconf.5
+++ postfix-3.3.2/man/man5/postconf.5
@@ -8076,6 +8077,9 @@
 "SSLv3").  The latest patch levels of Postfix >= 2.6, and all
 versions of Postfix >= 2.10 can explicitly disable support for
 "TLSv1.1" or "TLSv1.2".
+.PP
+OpenSSL 1.1.1 introduces support for "TLSv1.3".  With Postfix
+this can be disabled, if need be, via "!TLSv1.3".
 .PP
 At the dane and
 dane\-only security
@@ -8391,6 +8397,9 @@
 and "TLSv1.2". The latest patch levels of Postfix >= 2.6, and all
 versions of Postfix >= 2.10 can explicitly disable support for
 "TLSv1.1" or "TLSv1.2"
+.PP
+OpenSSL 1.1.1 introduces support for "TLSv1.3".  With Postfix
+this can be disabled, if need be, via "!TLSv1.3".
 .PP
 To include a protocol list its name, to exclude it, prefix the name
 with a "!" character. To exclude SSLv2 for opportunistic TLS set
@@ -11669,6 +11679,9 @@
 versions of Postfix >= 2.10 can disable support for "TLSv1.1" or
 "TLSv1.2".
 .PP
+OpenSSL 1.1.1 introduces support for "TLSv1.3".  With Postfix
+this can be disabled, if need be, via "!TLSv1.3".
+.PP
 Example:
 .PP
 .nf
@@ -11697,6 +11711,9 @@
 and "TLSv1.2". The latest patch levels of Postfix >= 2.6, and all
 versions of Postfix >= 2.10 can disable support for "TLSv1.1" or
 "TLSv1.2".
+.PP
+OpenSSL 1.1.1 introduces support for "TLSv1.3".  With Postfix
+this can be disabled, if need be, via "!TLSv1.3".
 .PP
 To include a protocol list its name, to exclude it, prefix the name
 with a "!" character. To exclude SSLv2 for opportunistic TLS set
--- postfix-3.3.1/proto/postconf.proto
+++ postfix-3.3.2/proto/postconf.proto
@@ -11208,6 +11210,9 @@
 "SSLv3").  The latest patch levels of Postfix ≥ 2.6, and all
 versions of Postfix ≥ 2.10 can explicitly disable support for
 "TLSv1.1" or "TLSv1.2". </p>
+
+<p> OpenSSL 1.1.1 introduces support for "TLSv1.3".  With Postfix
+this can be disabled, if need be, via "!TLSv1.3". </p>
 
 <p> At the <a href="TLS_README.html#client_tls_dane">dane</a> and
 <a href="TLS_README.html#client_tls_dane">dane-only</a> security
@@ -11405,6 +11411,9 @@
 disabled.  The latest patch levels of Postfix &ge; 2.6, and all
 versions of Postfix &ge; 2.10 can disable support for "TLSv1.1" or
 "TLSv1.2". </p>
+
+<p> OpenSSL 1.1.1 introduces support for "TLSv1.3".  With Postfix
+this can be disabled, if need be, via "!TLSv1.3". </p>
 
 <p> Example: </p>
 
@@ -12561,6 +12573,9 @@
 and "TLSv1.2". The latest patch levels of Postfix &ge; 2.6, and all
 versions of Postfix &ge; 2.10 can explicitly disable support for
 "TLSv1.1" or "TLSv1.2"</p>
+
+<p> OpenSSL 1.1.1 introduces support for "TLSv1.3".  With Postfix
+this can be disabled, if need be, via "!TLSv1.3". </p>
 
 <p> To include a protocol list its name, to exclude it, prefix the name
 with a "!" character. To exclude SSLv2 for opportunistic TLS set
@@ -12593,6 +12609,9 @@
 and "TLSv1.2". The latest patch levels of Postfix &ge; 2.6, and all
 versions of Postfix &ge; 2.10 can disable support for "TLSv1.1" or
 "TLSv1.2". </p>
+
+<p> OpenSSL 1.1.1 introduces support for "TLSv1.3".  With Postfix
+this can be disabled, if need be, via "!TLSv1.3". </p>
 
 <p> To include a protocol list its name, to exclude it, prefix the name
 with a "!" character. To exclude SSLv2 for opportunistic TLS set
--- postfix-3.3.1/src/tls/tls.h
+++ postfix-3.3.2/src/tls/tls.h
@@ -372,10 +415,15 @@
 #define SSL_OP_NO_TLSv1_2	0L	/* Noop */
 #endif
 
-#ifdef SSL_TXT_TLSV1_3
+ /*
+  * OpenSSL 1.1.1 does not define a TXT macro for TLS 1.3, so we roll our
+  * own.
+  */
+#define TLS_PROTOCOL_TXT_TLSV1_3	"TLSv1.3"
+
+#if defined(TLS1_3_VERSION) && defined(SSL_OP_NO_TLSv1_3)
 #define TLS_PROTOCOL_TLSv1_3	(1<<5)	/* TLSv1_3 */
 #else
-#define SSL_TXT_TLSV1_3		"TLSv1.3"
 #define TLS_PROTOCOL_TLSv1_3	0	/* Unknown */
 #undef  SSL_OP_NO_TLSv1_3
 #define SSL_OP_NO_TLSv1_3	0L	/* Noop */
@@ -383,7 +431,7 @@
 
 #define TLS_KNOWN_PROTOCOLS \
 	( TLS_PROTOCOL_SSLv2 | TLS_PROTOCOL_SSLv3 | TLS_PROTOCOL_TLSv1 \
-	   | TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2 )
+	   | TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2 | TLS_PROTOCOL_TLSv1_3 )
 #define TLS_SSL_OP_PROTOMASK(m) \
 	    ((((m) & TLS_PROTOCOL_SSLv2) ? SSL_OP_NO_SSLv2 : 0L) \
 	     | (((m) & TLS_PROTOCOL_SSLv3) ? SSL_OP_NO_SSLv3 : 0L) \
--- postfix-3.3.1/src/tls/tls_misc.c
+++ postfix-3.3.2/src/tls/tls_misc.c
@@ -279,7 +306,7 @@
     SSL_TXT_TLSV1, TLS_PROTOCOL_TLSv1,
     SSL_TXT_TLSV1_1, TLS_PROTOCOL_TLSv1_1,
     SSL_TXT_TLSV1_2, TLS_PROTOCOL_TLSv1_2,
-    SSL_TXT_TLSV1_3, TLS_PROTOCOL_TLSv1_3,
+    TLS_PROTOCOL_TXT_TLSV1_3, TLS_PROTOCOL_TLSv1_3,
     0, TLS_PROTOCOL_INVALID,
 };