|
 |
62af7d |
From 2bbdfd76dab187ab29e22bed18d737f94343e629 Mon Sep 17 00:00:00 2001
|
|
|
62af7d |
From: Tomas Hozza <thozza@redhat.com>
|
|
|
62af7d |
Date: Tue, 4 Sep 2018 11:22:14 +0200
|
|
|
62af7d |
Subject: [PATCH] Add TLS 1.3 support for GnuTLS
|
|
|
62af7d |
|
|
|
62af7d |
* doc/wget.texi: Add "TLSv1_3" to --secure-protocol
|
|
|
62af7d |
* src/gnutls.c (set_prio_default): Use GNUTLS_TLS1_3 where needed
|
|
|
62af7d |
|
|
|
62af7d |
Wget currently allows specifying "TLSv1_3" as the parameter for
|
|
|
62af7d |
--secure-protocol option. However it is only implemented for OpenSSL
|
|
|
62af7d |
and in case wget is compiled with GnuTLS, it causes wget to abort with:
|
|
|
62af7d |
GnuTLS: unimplemented 'secure-protocol' option value 6
|
|
|
62af7d |
|
|
|
62af7d |
GnuTLS contains TLS 1.3 implementation since version 3.6.3 [1]. However
|
|
|
62af7d |
currently it must be enabled explicitly in the application of it to be
|
|
|
62af7d |
used. This will change after the draft is finalized. [2] However for
|
|
|
62af7d |
the time being, I enabled it explicitly in case "TLSv1_3" is used with
|
|
|
62af7d |
--secure-protocol.
|
|
|
62af7d |
|
|
|
62af7d |
I also fixed man page to contain "TLSv1_3" in all listings of available
|
|
|
62af7d |
parameters for --secure-protocol
|
|
|
62af7d |
|
|
|
62af7d |
[1] https://lists.gnupg.org/pipermail/gnutls-devel/2018-July/008584.html
|
|
|
62af7d |
[2] https://nikmav.blogspot.com/2018/05/gnutls-and-tls-13.html
|
|
|
62af7d |
|
|
|
62af7d |
Signed-off-by: Tomas Hozza <thozza@redhat.com>
|
|
|
62af7d |
---
|
|
|
62af7d |
doc/wget.texi | 6 +++---
|
|
|
62af7d |
src/gnutls.c | 28 ++++++++++++++++++++++++++++
|
|
|
62af7d |
2 files changed, 31 insertions(+), 3 deletions(-)
|
|
|
62af7d |
|
|
|
62af7d |
diff --git a/doc/wget.texi b/doc/wget.texi
|
|
|
62af7d |
index 38b4a245..7ae19d8e 100644
|
|
|
62af7d |
--- a/doc/wget.texi
|
|
|
62af7d |
+++ b/doc/wget.texi
|
|
|
62af7d |
@@ -1780,9 +1780,9 @@ If Wget is compiled without SSL support, none of these options are available.
|
|
|
62af7d |
@cindex SSL protocol, choose
|
|
|
62af7d |
@item --secure-protocol=@var{protocol}
|
|
|
62af7d |
Choose the secure protocol to be used. Legal values are @samp{auto},
|
|
|
62af7d |
-@samp{SSLv2}, @samp{SSLv3}, @samp{TLSv1}, @samp{TLSv1_1}, @samp{TLSv1_2}
|
|
|
62af7d |
-and @samp{PFS}. If @samp{auto} is used, the SSL library is given the
|
|
|
62af7d |
-liberty of choosing the appropriate protocol automatically, which is
|
|
|
62af7d |
+@samp{SSLv2}, @samp{SSLv3}, @samp{TLSv1}, @samp{TLSv1_1}, @samp{TLSv1_2},
|
|
|
62af7d |
+@samp{TLSv1_3} and @samp{PFS}. If @samp{auto} is used, the SSL library is
|
|
|
62af7d |
+given the liberty of choosing the appropriate protocol automatically, which is
|
|
|
62af7d |
achieved by sending a TLSv1 greeting. This is the default.
|
|
|
62af7d |
|
|
|
62af7d |
Specifying @samp{SSLv2}, @samp{SSLv3}, @samp{TLSv1}, @samp{TLSv1_1},
|
|
|
62af7d |
diff --git a/src/gnutls.c b/src/gnutls.c
|
|
|
62af7d |
index 07844c52..206d0b09 100644
|
|
|
62af7d |
--- a/src/gnutls.c
|
|
|
62af7d |
+++ b/src/gnutls.c
|
|
|
62af7d |
@@ -565,6 +565,15 @@ set_prio_default (gnutls_session_t session)
|
|
|
62af7d |
err = gnutls_priority_set_direct (session, "NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1", NULL);
|
|
|
62af7d |
break;
|
|
|
62af7d |
|
|
|
62af7d |
+ case secure_protocol_tlsv1_3:
|
|
|
62af7d |
+#if GNUTLS_VERSION_NUMBER >= 0x030603
|
|
|
62af7d |
+ err = gnutls_priority_set_direct (session, "NORMAL:-VERS-SSL3.0:+VERS-TLS1.3:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2", NULL);
|
|
|
62af7d |
+ break;
|
|
|
62af7d |
+#else
|
|
|
62af7d |
+ logprintf (LOG_NOTQUIET, _("Your GnuTLS version is too old to support TLS 1.3\n"));
|
|
|
62af7d |
+ return -1;
|
|
|
62af7d |
+#endif
|
|
|
62af7d |
+
|
|
|
62af7d |
case secure_protocol_pfs:
|
|
|
62af7d |
err = gnutls_priority_set_direct (session, "PFS:-VERS-SSL3.0", NULL);
|
|
|
62af7d |
if (err != GNUTLS_E_SUCCESS)
|
|
|
62af7d |
@@ -596,19 +605,38 @@ set_prio_default (gnutls_session_t session)
|
|
|
62af7d |
allowed_protocols[0] = GNUTLS_TLS1_0;
|
|
|
62af7d |
allowed_protocols[1] = GNUTLS_TLS1_1;
|
|
|
62af7d |
allowed_protocols[2] = GNUTLS_TLS1_2;
|
|
|
62af7d |
+#if GNUTLS_VERSION_NUMBER >= 0x030603
|
|
|
62af7d |
+ allowed_protocols[3] = GNUTLS_TLS1_3;
|
|
|
62af7d |
+#endif
|
|
|
62af7d |
err = gnutls_protocol_set_priority (session, allowed_protocols);
|
|
|
62af7d |
break;
|
|
|
62af7d |
|
|
|
62af7d |
case secure_protocol_tlsv1_1:
|
|
|
62af7d |
allowed_protocols[0] = GNUTLS_TLS1_1;
|
|
|
62af7d |
allowed_protocols[1] = GNUTLS_TLS1_2;
|
|
|
62af7d |
+#if GNUTLS_VERSION_NUMBER >= 0x030603
|
|
|
62af7d |
+ allowed_protocols[2] = GNUTLS_TLS1_3;
|
|
|
62af7d |
+#endif
|
|
|
62af7d |
err = gnutls_protocol_set_priority (session, allowed_protocols);
|
|
|
62af7d |
break;
|
|
|
62af7d |
|
|
|
62af7d |
case secure_protocol_tlsv1_2:
|
|
|
62af7d |
allowed_protocols[0] = GNUTLS_TLS1_2;
|
|
|
62af7d |
+#if GNUTLS_VERSION_NUMBER >= 0x030603
|
|
|
62af7d |
+ allowed_protocols[1] = GNUTLS_TLS1_3;
|
|
|
62af7d |
+#endif
|
|
|
62af7d |
+ err = gnutls_protocol_set_priority (session, allowed_protocols);
|
|
|
62af7d |
+ break;
|
|
|
62af7d |
+
|
|
|
62af7d |
+ case secure_protocol_tlsv1_3:
|
|
|
62af7d |
+#if GNUTLS_VERSION_NUMBER >= 0x030603
|
|
|
62af7d |
+ allowed_protocols[0] = GNUTLS_TLS1_3;
|
|
|
62af7d |
err = gnutls_protocol_set_priority (session, allowed_protocols);
|
|
|
62af7d |
break;
|
|
|
62af7d |
+#else
|
|
|
62af7d |
+ logprintf (LOG_NOTQUIET, _("Your GnuTLS version is too old to support TLS 1.3\n"));
|
|
|
62af7d |
+ return -1;
|
|
|
62af7d |
+#endif
|
|
|
62af7d |
|
|
|
62af7d |
default:
|
|
|
62af7d |
logprintf (LOG_NOTQUIET, _("GnuTLS: unimplemented 'secure-protocol' option value %d\n"), opt.secure_protocol);
|
|
|
62af7d |
--
|
|
|
62af7d |
2.17.1
|
|
|
62af7d |
|