Commit 3556b83e authored by Matt Caswell's avatar Matt Caswell
Browse files

Make the TLSv1.3 downgrade mechanism a configurable option 



Make it disabled by default. When TLSv1.3 is out of draft we can remove
this option and have it enabled all the time.

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3022)
parent c3043dcd

Configure

+2 −0
Original line number Diff line number Diff line
@@ -407,6 +407,7 @@ my @disablables = ( 
    "tests",

    "threads",

    "tls",

    "tls13downgrade",

    "ts",

    "ubsan",

    "ui",
@@ -451,6 +452,7 @@ our %disabled = ( # "what" => "comment" 
                  "ubsan"		=> "default",

          #TODO(TLS1.3): Temporarily disabled while this is a WIP

		  "tls1_3"              => "default",

		  "tls13downgrade"      => "default",

		  "unit-test"           => "default",

		  "weak-ssl-ciphers"    => "default",

		  "zlib"                => "default",

INSTALL

+10 −0
Original line number Diff line number Diff line
@@ -427,6 +427,16 @@ 
                   require additional system-dependent options! See "Note on

                   multi-threading" below.



  enable-tls13downgrade

                   TODO(TLS1.3): Make this enabled by default and remove the

                   option when TLSv1.3 is out of draft

                   TLSv1.3 offers a downgrade protection mechanism. This is

                   implemented but disabled by default. It should not typically

                   be enabled except for testing purposes. Otherwise this could

                   cause problems if a pre-RFC version of OpenSSL talks to an

                   RFC implementation (it will erroneously be detected as a

                   downgrade).



  no-ts

                   Don't build Time Stamping Authority support.