Make the TLSv1.3 downgrade mechanism a configurable option

Make it disabled by default. When TLSv1.3 is out of draft we can remove this option and have it enabled all the time. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3022)
2025-01-18 13:44:20 +08:00 · 2017-03-22 11:52:45 +00:00 · 2017-03-22 11:52:45 +00:00 · 3556b83ea2
commit 3556b83ea2
parent c3043dcd55
2 changed files with 12 additions and 0 deletions
--- a/2
+++ b/2
@ -407,6 +407,7 @@ my @disablables = (
    "tests",
    "threads",
    "tls",
+    "tls13downgrade",
    "ts",
    "ubsan",
    "ui",
@ -451,6 +452,7 @@ our %disabled = ( # "what"         => "comment"
                  "ubsan"		=> "default",
          #TODO(TLS1.3): Temporarily disabled while this is a WIP
 		  "tls1_3"              => "default",
+		  "tls13downgrade"      => "default",
 		  "unit-test"           => "default",
 		  "weak-ssl-ciphers"    => "default",
 		  "zlib"                => "default",
--- a/10
+++ b/10
@ -427,6 +427,16 @@
                   require additional system-dependent options! See "Note on
                   multi-threading" below.

+  enable-tls13downgrade
+                   TODO(TLS1.3): Make this enabled by default and remove the
+                   option when TLSv1.3 is out of draft
+                   TLSv1.3 offers a downgrade protection mechanism. This is
+                   implemented but disabled by default. It should not typically
+                   be enabled except for testing purposes. Otherwise this could
+                   cause problems if a pre-RFC version of OpenSSL talks to an
+                   RFC implementation (it will erroneously be detected as a
+                   downgrade).
+
  no-ts
                   Don't build Time Stamping Authority support.