92 lines
2.9 KiB
Diff
92 lines
2.9 KiB
Diff
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
|
|
index 866ca4dfa9..4654becf1d 100644
|
|
--- a/ssl/s3_lib.c
|
|
+++ b/ssl/s3_lib.c
|
|
@@ -31,7 +31,25 @@ const unsigned char tls12downgrade[] = {
|
|
};
|
|
|
|
/* The list of available TLSv1.3 ciphers */
|
|
+/* Since nginx can not set the TLS 1.3 cipher, remove it temporarily. */
|
|
static SSL_CIPHER tls13_ciphers[] = {
|
|
+ {
|
|
+ 0,
|
|
+ }
|
|
+};
|
|
+
|
|
+/*
|
|
+ * The list of available ciphers, mostly organized into the following
|
|
+ * groups:
|
|
+ * Always there
|
|
+ * EC
|
|
+ * PSK
|
|
+ * SRP (within that: RSA EC PSK)
|
|
+ * Cipher families: Chacha/poly, Camellia, Gost, IDEA, SEED
|
|
+ * Weak ciphers
|
|
+ */
|
|
+static SSL_CIPHER ssl3_ciphers[] = {
|
|
+ /* TLSv1.3 ciphers */
|
|
{
|
|
1,
|
|
TLS1_3_RFC_AES_128_GCM_SHA256,
|
|
@@ -111,20 +129,8 @@ static SSL_CIPHER tls13_ciphers[] = {
|
|
SSL_HANDSHAKE_MAC_SHA256,
|
|
128,
|
|
128,
|
|
- }
|
|
-};
|
|
-
|
|
-/*
|
|
- * The list of available ciphers, mostly organized into the following
|
|
- * groups:
|
|
- * Always there
|
|
- * EC
|
|
- * PSK
|
|
- * SRP (within that: RSA EC PSK)
|
|
- * Cipher families: Chacha/poly, Camellia, Gost, IDEA, SEED
|
|
- * Weak ciphers
|
|
- */
|
|
-static SSL_CIPHER ssl3_ciphers[] = {
|
|
+ },
|
|
+ /* List of cipher below TLSv1.3 */
|
|
{
|
|
1,
|
|
SSL3_TXT_RSA_NULL_MD5,
|
|
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
|
|
index 14066d0ea4..458b67f383 100644
|
|
--- a/ssl/ssl_ciph.c
|
|
+++ b/ssl/ssl_ciph.c
|
|
@@ -294,6 +294,7 @@ static const SSL_CIPHER cipher_aliases[] = {
|
|
{0, SSL_TXT_TLSV1, NULL, 0, 0, 0, 0, 0, TLS1_VERSION},
|
|
{0, "TLSv1.0", NULL, 0, 0, 0, 0, 0, TLS1_VERSION},
|
|
{0, SSL_TXT_TLSV1_2, NULL, 0, 0, 0, 0, 0, TLS1_2_VERSION},
|
|
+ {0, "TLS13", NULL, 0, 0, 0, 0, 0, TLS1_3_VERSION},
|
|
|
|
/* strength classes */
|
|
{0, SSL_TXT_LOW, NULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_LOW},
|
|
@@ -1538,6 +1539,9 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
|
ssl_cipher_apply_rule(0, SSL_kDHE | SSL_kECDHE, 0, 0, SSL_AEAD, 0, 0,
|
|
CIPHER_BUMP, -1, &head, &tail);
|
|
|
|
+ ssl_cipher_apply_rule(0, 0, 0, 0, 0, TLS1_3_VERSION, 0, CIPHER_BUMP, -1,
|
|
+ &head, &tail);
|
|
+
|
|
/* Now disable everything (maintaining the ordering!) */
|
|
ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail);
|
|
|
|
@@ -1594,15 +1598,6 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
|
return NULL;
|
|
}
|
|
|
|
- /* Add TLSv1.3 ciphers first - we always prefer those if possible */
|
|
- for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
|
|
- if (!sk_SSL_CIPHER_push(cipherstack,
|
|
- sk_SSL_CIPHER_value(tls13_ciphersuites, i))) {
|
|
- sk_SSL_CIPHER_free(cipherstack);
|
|
- return NULL;
|
|
- }
|
|
- }
|
|
-
|
|
/*
|
|
* The cipher selection for the list is done. The ciphers are added
|
|
* to the resulting precedence to the STACK_OF(SSL_CIPHER).
|