diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2019-01-24 20:25:59 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2019-01-24 20:28:38 +0100 |
| commit | 977933809bc16b2858b7117cb23b810b9f381c13 (patch) | |
| tree | 9856e71e8a26788a55b0e05978bedc25af30c45b | |
| parent | 6f3fe05234d7ac9b541dd5101ccbae82a596ed16 (diff) | |
| download | gnutls-tmp-define-no-extensions.tar.gz | |
priorities: when %NO_EXTENSIONS is specified disable TLS1.3tmp-define-no-extensions
This makes the behavior of this priority string option well-defined
even when TLS1.3 is enabled.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
| -rw-r--r-- | NEWS | 4 | ||||
| -rw-r--r-- | doc/cha-gtls-app.texi | 2 | ||||
| -rw-r--r-- | lib/priority.c | 2 | ||||
| -rw-r--r-- | tests/no-extensions.c | 11 |
4 files changed, 13 insertions, 6 deletions
@@ -23,6 +23,10 @@ See the end for copying conditions. ** libgnutls: We no longer mark RSA keys in PKCS#11 tokens as RSA-PSS capable if the CKA_SIGN is not set (#667). +** libgnutls: The priority string option %NO_EXTENSIONS was improved to completely + disable extensions at all cases, while providing a functional session. This + also implies that when specified, TLS1.3 is disabled. + ** GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION was marked as deprecated. The previous definition was buggy and non-functional. diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi index 8d5d9b7cfa..9831db2da4 100644 --- a/doc/cha-gtls-app.texi +++ b/doc/cha-gtls-app.texi @@ -1508,7 +1508,7 @@ with %COMPAT. will prevent the sending of any TLS extensions in client side. Note that TLS 1.2 requires extensions to be used, as well as safe renegotiation thus this option must be used with care. When this option -is set with TLS1.3 enabled the session behavior is undefined. +is set no versions later than TLS1.2 can be negotiated. @item %NO_TICKETS @tab will prevent the advertizing of the TLS session ticket extension. diff --git a/lib/priority.c b/lib/priority.c index 2699901d26..c942ec4232 100644 --- a/lib/priority.c +++ b/lib/priority.c @@ -1248,7 +1248,7 @@ static int set_ciphersuite_list(gnutls_priority_t priority_cache) /* if we have NULL ciphersuites, SRP, or RSA-PSK enabled remove TLS1.3+ * protocol versions; they cannot be negotiated under TLS1.3. */ - if (have_null || have_srp || have_rsa_psk) { + if (have_null || have_srp || have_rsa_psk || priority_cache->no_extensions) { for (i = j = 0; i < priority_cache->protocol.num_priorities; i++) { vers = version_to_entry(priority_cache->protocol.priorities[i]); if (!vers || !vers->tls13_sem) diff --git a/tests/no-extensions.c b/tests/no-extensions.c index 9ea03446ed..dd75477f09 100644 --- a/tests/no-extensions.c +++ b/tests/no-extensions.c @@ -104,7 +104,7 @@ static int client_handshake_callback(gnutls_session_t session, unsigned int htyp } static -void start(const char *prio) +void start(const char *prio, gnutls_protocol_t exp_version) { int ret; /* Server stuff. */ @@ -184,6 +184,8 @@ void start(const char *prio) } } + assert(gnutls_protocol_get_version(server) == exp_version); + assert(gnutls_certificate_type_get(server)==GNUTLS_CRT_X509); assert(gnutls_certificate_type_get(client)==GNUTLS_CRT_X509); @@ -203,7 +205,8 @@ void start(const char *prio) void doit(void) { - start("NORMAL:-VERS-ALL:+VERS-TLS1.0:%NO_EXTENSIONS"); - start("NORMAL:-VERS-ALL:+VERS-TLS1.1:%NO_EXTENSIONS"); - start("NORMAL:-VERS-ALL:+VERS-TLS1.2:%NO_EXTENSIONS"); + start("NORMAL:-VERS-ALL:+VERS-TLS1.0:%NO_EXTENSIONS", GNUTLS_TLS1_0); + start("NORMAL:-VERS-ALL:+VERS-TLS1.1:%NO_EXTENSIONS", GNUTLS_TLS1_1); + start("NORMAL:-VERS-ALL:+VERS-TLS1.2:%NO_EXTENSIONS", GNUTLS_TLS1_2); + start("NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:%NO_EXTENSIONS", GNUTLS_TLS1_2); } |