[gnutls-devel] GnuTLS | Compiled-in, yet unsupported by default, TLS versions (!1157)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Mon Jan 6 16:27:26 CET 2020
Dimitri John Ledkov created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1157
Project:Branches: xnox/gnutls:supported-version to gnutls/gnutls:master
Author: Dimitri John Ledkov
Add a new configure time option which will mark TLS versions prior to v1.2.
This will still compile-in TLS1.0/1.1 DTLS0.9/1.0 support, however it will have supported=0. Meaning that, even though it is selected by the priority string (eg. NORMAL or +VERS-TLS1.0) it would not be usable, unless supported-version = tls1.0 is also specified in the config file.
Note this is a "soft" enable, if the priority string did not elect TLS1.0 supported-version = tls1.0 will not enable it (ie. priority string -VERS-TLS-ALL:+VERS-TLS1.3 will not gain tls1.0 just because supported-version=tls1.0 is declared).
Similarly disabled-version continues to blacklist the algorithm, and suppored-version will not be enabled.
The overall goal, is to bring GnuTLS on par with OpenSSL in Debian/Ubuntu, where TLS1.0/1.1 are disabled by default, yet user-admin can enable it back on with a configuration file. Unlike Debian, however, Ubuntu would like to achieve as a compiled-in default without any configuration files. Meaning config file should only be needed to be created to turn tls1.0/1.1 back, but by default library without config files does not use tls1.0/1.1.
Add a description of the new feature/bug fix. Reference any relevant bugs.
This is a bit work in progress. I believe the pipelines should pass with or without this new configure-time option. But i'm not yet fully happy with functionality & negative tests coverage. I will add more tests, but the feature code is otherwise ready for review and comments, as it appears to behave the way I described above.
## Checklist
* [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author
* [ ] Code modified for feature
* [ ] Test suite updated with functionality tests
* [ ] Test suite updated with negative tests
* [ ] Documentation updated / NEWS entry present (for non-trivial changes)
* [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout)
## Reviewer's checklist:
* [ ] Any issues marked for closing are addressed
* [ ] There is a test suite reasonably covering new functionality or modifications
* [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md`
* [ ] This feature/change has adequate documentation added
* [ ] No obvious mistakes in the code
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1157
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200106/43da74e4/attachment.html>
More information about the Gnutls-devel
mailing list