drop some no-longer-relevant TODO(TLS1.3) entries
authorBenjamin Kaduk <bkaduk@akamai.com>
Thu, 23 Mar 2017 16:00:08 +0000 (11:00 -0500)
committerMatt Caswell <matt@openssl.org>
Mon, 12 Jun 2017 08:19:05 +0000 (09:19 +0100)
We prevent compression both when the server is parsing the ClientHello
and when the client is constructing the ClientHello.  A 1.3 ServerHello
has no way to hand us back a compression method, and we already check
that the server does not try to give us back a compression method that
we did not request, so these checks seem sufficient.

Weaken the INSTALL note slightly, as we do now expect to interoperate
with other implementations.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3131)

INSTALL
ssl/record/rec_layer_s3.c

diff --git a/INSTALL b/INSTALL
index 8ae0644..3deb7ff 100644 (file)
--- a/INSTALL
+++ b/INSTALL
   enable-tls1_3
                    TODO(TLS1.3): Make this enabled by default
                    Build support for TLS1.3. Note: This is a WIP feature and
-                   does not currently interoperate with other TLS1.3
-                   implementations! Use with caution!!
+                   only a single draft version is supported.  Implementations
+                   of different draft versions will negotiate TLS 1.2 instead
+                   of (draft) TLS 1.3.  Use with caution!!
 
   no-<prot>
                    Don't build support for negotiating the specified SSL/TLS
index 0c40905..68c427e 100644 (file)
@@ -841,9 +841,6 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
 
         /* first we compress */
         if (s->compress != NULL) {
-            /*
-             * TODO(TLS1.3): Make sure we prevent compression!!!
-             */
             if (!ssl3_do_compress(s, thiswr)
                     || !WPACKET_allocate_bytes(thispkt, thiswr->length, NULL)) {
                 SSLerr(SSL_F_DO_SSL3_WRITE, SSL_R_COMPRESSION_FAILURE);