Gitweb links: ...log http://git.netsurf-browser.org/netsurf.git/shortlog/85da9873f7c7c72e41e73... ...commit http://git.netsurf-browser.org/netsurf.git/commit/85da9873f7c7c72e41e7392... ...tree http://git.netsurf-browser.org/netsurf.git/tree/85da9873f7c7c72e41e7392cd... The branch, master has been updated via 85da9873f7c7c72e41e7392cd1479b51776d9dd5 (commit) via 53e92ed57b4be2084a39a902c699859a5e10a544 (commit) from 877bc2ce13322e2e8f92dd3c54fea20fe092b3a5 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commitdiff http://git.netsurf-browser.org/netsurf.git/commit/?id=85da9873f7c7c72e41e... commit 85da9873f7c7c72e41e7392cd1479b51776d9dd5 Author: John-Mark Bell <jmb(a)netsurf-browser.org&gt; Commit: John-Mark Bell <jmb(a)netsurf-browser.org&gt; fetchers/curl: disable TLS1.0 and TLS1.1 support diff --git a/content/fetchers/curl.c b/content/fetchers/curl.c index 824b0b3..ab1d978 100644 --- a/content/fetchers/curl.c +++ b/content/fetchers/curl.c @@ -233,7 +233,7 @@ struct curl_fetch_info { bool abort; /**< Abort requested. */ bool stopped; /**< Download stopped on purpose. */ bool only_2xx; /**< Only HTTP 2xx responses acceptable. */ - bool downgrade_tls; /**< Downgrade to TLS <= 1.0 */ + bool downgrade_tls; /**< Downgrade to TLS 1.2 */ nsurl *url; /**< URL of this fetch. */ lwc_string *host; /**< The hostname of this fetch. */ struct curl_slist *headers; /**< List of request headers. */ @@ -813,7 +813,8 @@ fetch_curl_sslctxfun(CURL *curl_handle, void *_sslctx, void *parm) { struct curl_fetch_info *f = (struct curl_fetch_info *) parm; SSL_CTX *sslctx = _sslctx; - long options = SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; + long options = SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | + SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1; /* set verify callback for each certificate in chain */ SSL_CTX_set_verify(sslctx, SSL_VERIFY_PEER, fetch_curl_verify_callback); @@ -824,19 +825,14 @@ fetch_curl_sslctxfun(CURL *curl_handle, void *_sslctx, void *parm) parm); if (f->downgrade_tls) { - /* Disable TLS 1.1/1.2 if the server can't cope with them */ -#ifdef SSL_OP_NO_TLSv1_1 - options |= SSL_OP_NO_TLSv1_1; -#endif -#ifdef SSL_OP_NO_TLSv1_2 - options |= SSL_OP_NO_TLSv1_2; + /* Disable TLS 1.3 if the server can't cope with it */ +#ifdef SSL_OP_NO_TLSv1_3 + options |= SSL_OP_NO_TLSv1_3; #endif #ifdef SSL_MODE_SEND_FALLBACK_SCSV /* Ensure server rejects the connection if downgraded too far */ SSL_CTX_set_mode(sslctx, SSL_MODE_SEND_FALLBACK_SCSV); #endif - /* Disable TLS1.2 ciphersuites */ - SSL_CTX_set_cipher_list(sslctx, CIPHER_LIST ":-TLSv1.2"); } SSL_CTX_set_options(sslctx, options); diff --git a/content/llcache.c b/content/llcache.c index 7db59de..f86ae0d 100644 --- a/content/llcache.c +++ b/content/llcache.c @@ -116,7 +116,7 @@ typedef struct { bool tried_with_auth; /**< Whether we've tried with auth */ - bool tried_with_tls_downgrade; /**< Whether we've tried TLS <= 1.0 */ + bool tried_with_tls_downgrade; /**< Whether we've tried TLS 1.2 */ bool tainted_tls; /**< Whether the TLS transport is tainted */ } llcache_fetch_ctx; commitdiff http://git.netsurf-browser.org/netsurf.git/commit/?id=53e92ed57b4be2084a3... commit 53e92ed57b4be2084a39a902c699859a5e10a544 Author: John-Mark Bell <jmb(a)netsurf-browser.org&gt; Commit: John-Mark Bell <jmb(a)netsurf-browser.org&gt; fetchers/curl: explicitly configure TLS1.3 ciphersuites These currently match the defaults, so no functional change. diff --git a/content/fetchers/curl.c b/content/fetchers/curl.c index d36f44c..824b0b3 100644 --- a/content/fetchers/curl.c +++ b/content/fetchers/curl.c @@ -67,7 +67,15 @@ #define UPDATES_PER_SECOND 2 /** - * The ciphersuites the browser is prepared to use + * The ciphersuites the browser is prepared to use for TLS1.3 + */ +#define CIPHER_SUITES \ + "TLS_AES_256_GCM_SHA384:" \ + "TLS_CHACHA20_POLY1305_SHA256:" \ + "TLS_AES_128_GCM_SHA256" + +/** + * The ciphersuites the browser is prepared to use for TLS<1.3 */ #define CIPHER_LIST \ /* disable everything */ \ @@ -1785,6 +1793,10 @@ nserror fetch_curl_register(void) /* only set the cipher list with openssl otherwise the * fetch fails with "Unknown cipher in list" */ +#if LIBCURL_VERSION_NUM >= 0x073d00 + /* Need libcurl 7.61.0 or later */ + SETOPT(CURLOPT_TLS13_CIPHERS, CIPHER_SUITES); +#endif SETOPT(CURLOPT_SSL_CIPHER_LIST, CIPHER_LIST); } ----------------------------------------------------------------------- Summary of changes: content/fetchers/curl.c | 30 +++++++++++++++++++----------- content/llcache.c | 2 +- 2 files changed, 20 insertions(+), 12 deletions(-) diff --git a/content/fetchers/curl.c b/content/fetchers/curl.c index d36f44c..ab1d978 100644 --- a/content/fetchers/curl.c +++ b/content/fetchers/curl.c @@ -67,7 +67,15 @@ #define UPDATES_PER_SECOND 2 /** - * The ciphersuites the browser is prepared to use + * The ciphersuites the browser is prepared to use for TLS1.3 + */ +#define CIPHER_SUITES \ + "TLS_AES_256_GCM_SHA384:" \ + "TLS_CHACHA20_POLY1305_SHA256:" \ + "TLS_AES_128_GCM_SHA256" + +/** + * The ciphersuites the browser is prepared to use for TLS<1.3 */ #define CIPHER_LIST \ /* disable everything */ \ @@ -225,7 +233,7 @@ struct curl_fetch_info { bool abort; /**< Abort requested. */ bool stopped; /**< Download stopped on purpose. */ bool only_2xx; /**< Only HTTP 2xx responses acceptable. */ - bool downgrade_tls; /**< Downgrade to TLS <= 1.0 */ + bool downgrade_tls; /**< Downgrade to TLS 1.2 */ nsurl *url; /**< URL of this fetch. */ lwc_string *host; /**< The hostname of this fetch. */ struct curl_slist *headers; /**< List of request headers. */ @@ -805,7 +813,8 @@ fetch_curl_sslctxfun(CURL *curl_handle, void *_sslctx, void *parm) { struct curl_fetch_info *f = (struct curl_fetch_info *) parm; SSL_CTX *sslctx = _sslctx; - long options = SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; + long options = SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | + SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1; /* set verify callback for each certificate in chain */ SSL_CTX_set_verify(sslctx, SSL_VERIFY_PEER, fetch_curl_verify_callback); @@ -816,19 +825,14 @@ fetch_curl_sslctxfun(CURL *curl_handle, void *_sslctx, void *parm) parm); if (f->downgrade_tls) { - /* Disable TLS 1.1/1.2 if the server can't cope with them */ -#ifdef SSL_OP_NO_TLSv1_1 - options |= SSL_OP_NO_TLSv1_1; -#endif -#ifdef SSL_OP_NO_TLSv1_2 - options |= SSL_OP_NO_TLSv1_2; + /* Disable TLS 1.3 if the server can't cope with it */ +#ifdef SSL_OP_NO_TLSv1_3 + options |= SSL_OP_NO_TLSv1_3; #endif #ifdef SSL_MODE_SEND_FALLBACK_SCSV /* Ensure server rejects the connection if downgraded too far */ SSL_CTX_set_mode(sslctx, SSL_MODE_SEND_FALLBACK_SCSV); #endif - /* Disable TLS1.2 ciphersuites */ - SSL_CTX_set_cipher_list(sslctx, CIPHER_LIST ":-TLSv1.2"); } SSL_CTX_set_options(sslctx, options); @@ -1785,6 +1789,10 @@ nserror fetch_curl_register(void) /* only set the cipher list with openssl otherwise the * fetch fails with "Unknown cipher in list" */ +#if LIBCURL_VERSION_NUM >= 0x073d00 + /* Need libcurl 7.61.0 or later */ + SETOPT(CURLOPT_TLS13_CIPHERS, CIPHER_SUITES); +#endif SETOPT(CURLOPT_SSL_CIPHER_LIST, CIPHER_LIST); } diff --git a/content/llcache.c b/content/llcache.c index 7db59de..f86ae0d 100644 --- a/content/llcache.c +++ b/content/llcache.c @@ -116,7 +116,7 @@ typedef struct { bool tried_with_auth; /**< Whether we've tried with auth */ - bool tried_with_tls_downgrade; /**< Whether we've tried TLS <= 1.0 */ + bool tried_with_tls_downgrade; /**< Whether we've tried TLS 1.2 */ bool tainted_tls; /**< Whether the TLS transport is tainted */ } llcache_fetch_ctx; -- NetSurf Browser