enable TLS 1.3 post-handshake auth in OpenSSL
Bug: https://github.com/curl/curl/pull/3027
This commit is contained in:
parent
2346b66a23
commit
9be316eea1
46
0003-curl-7.61.1-TLS-1.3-PHA.patch
Normal file
46
0003-curl-7.61.1-TLS-1.3-PHA.patch
Normal file
@ -0,0 +1,46 @@
|
|||||||
|
From bb8ad3da3fb4ab3f6556daa1f67b259c12a3c7de Mon Sep 17 00:00:00 2001
|
||||||
|
From: Christian Heimes <christian@python.org>
|
||||||
|
Date: Fri, 21 Sep 2018 10:37:43 +0200
|
||||||
|
Subject: [PATCH] OpenSSL: enable TLS 1.3 post-handshake auth
|
||||||
|
|
||||||
|
OpenSSL 1.1.1 requires clients to opt-in for post-handshake
|
||||||
|
authentication.
|
||||||
|
|
||||||
|
Fixes: https://github.com/curl/curl/issues/3026
|
||||||
|
Signed-off-by: Christian Heimes <christian@python.org>
|
||||||
|
|
||||||
|
Closes https://github.com/curl/curl/pull/3027
|
||||||
|
|
||||||
|
Upstream-commit: b939bc47b27cd57c6ebb852ad653933e4124b452
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/vtls/openssl.c | 6 ++++++
|
||||||
|
1 file changed, 6 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
|
||||||
|
index a487f55..78970d1 100644
|
||||||
|
--- a/lib/vtls/openssl.c
|
||||||
|
+++ b/lib/vtls/openssl.c
|
||||||
|
@@ -178,6 +178,7 @@ static unsigned long OpenSSL_version_num(void)
|
||||||
|
!defined(LIBRESSL_VERSION_NUMBER) && \
|
||||||
|
!defined(OPENSSL_IS_BORINGSSL))
|
||||||
|
#define HAVE_SSL_CTX_SET_CIPHERSUITES
|
||||||
|
+#define HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(LIBRESSL_VERSION_NUMBER)
|
||||||
|
@@ -2467,6 +2468,11 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+#ifdef HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
|
||||||
|
+ /* OpenSSL 1.1.1 requires clients to opt-in for PHA */
|
||||||
|
+ SSL_CTX_set_post_handshake_auth(BACKEND->ctx, 1);
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
#ifdef USE_TLS_SRP
|
||||||
|
if(ssl_authtype == CURL_TLSAUTH_SRP) {
|
||||||
|
char * const ssl_username = SSL_SET_OPTION(username);
|
||||||
|
--
|
||||||
|
2.17.1
|
||||||
|
|
@ -11,6 +11,9 @@ Patch1: 0001-curl-7.61.1-test320-gnutls.patch
|
|||||||
# update the documentation of --tlsv1.0 in curl(1) man page
|
# update the documentation of --tlsv1.0 in curl(1) man page
|
||||||
Patch2: 0002-curl-7.61.1-tlsv1.0-man.patch
|
Patch2: 0002-curl-7.61.1-tlsv1.0-man.patch
|
||||||
|
|
||||||
|
# enable TLS 1.3 post-handshake auth in OpenSSL
|
||||||
|
Patch3: 0003-curl-7.61.1-TLS-1.3-PHA.patch
|
||||||
|
|
||||||
# patch making libcurl multilib ready
|
# patch making libcurl multilib ready
|
||||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||||
|
|
||||||
@ -171,6 +174,7 @@ be installed.
|
|||||||
# upstream patches
|
# upstream patches
|
||||||
%patch1 -p1
|
%patch1 -p1
|
||||||
%patch2 -p1
|
%patch2 -p1
|
||||||
|
%patch3 -p1
|
||||||
|
|
||||||
# Fedora patches
|
# Fedora patches
|
||||||
%patch101 -p1
|
%patch101 -p1
|
||||||
@ -338,6 +342,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
|
|||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Thu Oct 11 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.1-3
|
* Thu Oct 11 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.1-3
|
||||||
|
- enable TLS 1.3 post-handshake auth in OpenSSL
|
||||||
- update the documentation of --tlsv1.0 in curl(1) man page
|
- update the documentation of --tlsv1.0 in curl(1) man page
|
||||||
|
|
||||||
* Thu Oct 04 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.1-2
|
* Thu Oct 04 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.1-2
|
||||||
|
Loading…
Reference in New Issue
Block a user