Merge pull request #1193 from metalefty/TLSv1.3

TLSv1.3
2018-09-14 16:18:33 +09:00 · 2018-09-14 16:18:33 +09:00 · 80d349cbd6
parent 98e8cec83d 171f8e79ed
commit 80d349cbd6
3 changed files with 18 additions and 3 deletions
--- a/common/ssl_calls.c
+++ b/common/ssl_calls.c
@ -1004,8 +1004,23 @@ ssl_get_protocols_from_string(const char *str, long *ssl_protocols)
 #endif
 #if defined(SSL_OP_NO_TLSv1_2)
    protocols |= SSL_OP_NO_TLSv1_2;
+#endif
+#if defined(SSL_OP_NO_TLSv1_3)
+    protocols |= SSL_OP_NO_TLSv1_3;
 #endif
    bad_protocols = protocols;
+    if (g_pos(str, ",TLSv1.3,") >= 0)
+    {
+#if defined(SSL_OP_NO_TLSv1_3)
+        log_message(LOG_LEVEL_DEBUG, "TLSv1.3 enabled");
+        protocols &= ~SSL_OP_NO_TLSv1_3;
+#else
+        log_message(LOG_LEVEL_WARNING,
+                    "TLSv1.3 enabled by config, "
+                    "but not supported by system OpenSSL");
+        rv |= (1 << 6);
+#endif
+    }
    if (g_pos(str, ",TLSv1.2,") >= 0)
    {
 #if defined(SSL_OP_NO_TLSv1_2)
--- a/docs/man/xrdp.ini.5.in
+++ b/docs/man/xrdp.ini.5.in
@ -144,7 +144,7 @@ Negotiate these security methods with clients.
 .RE

 .TP
-\fBssl_protocols\fP=\fI[SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2]\fP
+\fBssl_protocols\fP=\fI[SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2] [TLSv1.3]\fP
 Enables the specified SSL/TLS protocols. Each value should be separated by comma.
 SSLv2 is always disabled. At least one protocol should be given to accept TLS connections.
 This parameter is effective only if \fBsecurity_layer\fP is set to \fBtls\fP or \fBnegotiate\fP.
--- a/xrdp/xrdp.ini.in
+++ b/xrdp/xrdp.ini.in
@ -28,8 +28,8 @@ crypt_level=high
 certificate=
 key_file=
 ; set SSL protocols
-; can be comma separated list of 'SSLv3', 'TLSv1', 'TLSv1.1', 'TLSv1.2'
-ssl_protocols=TLSv1, TLSv1.1, TLSv1.2
+; can be comma separated list of 'SSLv3', 'TLSv1', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3'
+ssl_protocols=TLSv1.2, TLSv1.3
 ; set TLS cipher suites
 #tls_ciphers=HIGH