openssl: initial TLS 1.3 adaptions

BoringSSL supports TLSv1.3 already, but these changes don't seem to be anough
to get it working.

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 24d9d42c19a1d039e93f7cc0f332ef10c6a981fc..edfd5356dfbe4ba6ca91494715e4be2cf843a2d8 100644 (file)
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -1548,6 +1548,11 @@ static void ssl_tls_trace(int direction, int ssl_ver, int content_type,
   case TLS1_2_VERSION:
     verstr = "TLSv1.2";
     break;
+#endif
+#ifdef TLS1_3_VERSION
+  case TLS1_3_VERSION:
+    verstr = "TLSv1.3";
+    break;
 #endif
   case 0:
     break;
@@ -1677,6 +1682,10 @@ get_ssl_version_txt(SSL *ssl)
     return "";
 
   switch(SSL_version(ssl)) {
+#ifdef TLS1_3_VERSION
+  case TLS1_3_VERSION:
+    return "TLSv1.3";
+#endif
 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL
   case TLS1_2_VERSION:
     return "TLSv1.2";
@@ -1728,6 +1737,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
   case CURL_SSLVERSION_TLSv1_0:
   case CURL_SSLVERSION_TLSv1_1:
   case CURL_SSLVERSION_TLSv1_2:
+  case CURL_SSLVERSION_TLSv1_3:
     /* it will be handled later with the context options */
 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \
     !defined(LIBRESSL_VERSION_NUMBER)
@@ -1891,6 +1901,16 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
     break;
 #endif
 
+#ifdef TLS1_3_VERSION
+  case CURL_SSLVERSION_TLSv1_3:
+    ctx_options |= SSL_OP_NO_SSLv2;
+    ctx_options |= SSL_OP_NO_SSLv3;
+    ctx_options |= SSL_OP_NO_TLSv1;
+    ctx_options |= SSL_OP_NO_TLSv1_1;
+    ctx_options |= SSL_OP_NO_TLSv1_2;
+    break;
+#endif
+
 #ifndef OPENSSL_NO_SSL2
   case CURL_SSLVERSION_SSLv2:
     ctx_options |= SSL_OP_NO_SSLv3;