Make the TLSv1.3 downgrade mechanism a configurable option
authorMatt Caswell <matt@openssl.org>
Wed, 22 Mar 2017 11:52:45 +0000 (11:52 +0000)
committerMatt Caswell <matt@openssl.org>
Fri, 24 Mar 2017 14:07:11 +0000 (14:07 +0000)
Make it disabled by default. When TLSv1.3 is out of draft we can remove
this option and have it enabled all the time.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3022)

Configure
INSTALL

index b7d669c..191fe73 100755 (executable)
--- a/Configure
+++ b/Configure
@@ -407,6 +407,7 @@ my @disablables = (
     "tests",
     "threads",
     "tls",
+    "tls13downgrade",
     "ts",
     "ubsan",
     "ui",
@@ -451,6 +452,7 @@ our %disabled = ( # "what"         => "comment"
                   "ubsan"              => "default",
           #TODO(TLS1.3): Temporarily disabled while this is a WIP
                  "tls1_3"              => "default",
+                 "tls13downgrade"      => "default",
                  "unit-test"           => "default",
                  "weak-ssl-ciphers"    => "default",
                  "zlib"                => "default",
diff --git a/INSTALL b/INSTALL
index d741b9f..59486ef 100644 (file)
--- a/INSTALL
+++ b/INSTALL
                    require additional system-dependent options! See "Note on
                    multi-threading" below.
 
+  enable-tls13downgrade
+                   TODO(TLS1.3): Make this enabled by default and remove the
+                   option when TLSv1.3 is out of draft
+                   TLSv1.3 offers a downgrade protection mechanism. This is
+                   implemented but disabled by default. It should not typically
+                   be enabled except for testing purposes. Otherwise this could
+                   cause problems if a pre-RFC version of OpenSSL talks to an
+                   RFC implementation (it will erroneously be detected as a
+                   downgrade).
+
   no-ts
                    Don't build Time Stamping Authority support.