[gnutls-devel] GnuTLS | Compiled-in, yet unsupported by default, TLS versions (!1157)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Mon Jan 6 16:27:26 CET 2020

Dimitri John Ledkov created a merge request: https://gitlab.com/gnutls/gnutls/merge_requests/1157

Project:Branches: xnox/gnutls:supported-version to gnutls/gnutls:master
Author:    Dimitri John Ledkov

Add a new configure time option which will mark TLS versions prior to v1.2.

This will still compile-in TLS1.0/1.1 DTLS0.9/1.0 support, however it will have supported=0. Meaning that, even though it is selected by the priority string (eg. NORMAL or +VERS-TLS1.0) it would not be usable, unless supported-version = tls1.0 is also specified in the config file.

Note this is a "soft" enable, if the priority string did not elect TLS1.0 supported-version = tls1.0 will not enable it (ie. priority string -VERS-TLS-ALL:+VERS-TLS1.3 will not gain tls1.0 just because supported-version=tls1.0 is declared).

Similarly disabled-version continues to blacklist the algorithm, and suppored-version will not be enabled.

The overall goal, is to bring GnuTLS on par with OpenSSL in Debian/Ubuntu, where TLS1.0/1.1 are disabled by default, yet user-admin can enable it back on with a configuration file. Unlike Debian, however, Ubuntu would like to achieve as a compiled-in default without any configuration files. Meaning config file should only be needed to be created to turn tls1.0/1.1 back, but by default library without config files does not use tls1.0/1.1.

Add a description of the new feature/bug fix. Reference any relevant bugs.

This is a bit work in progress. I believe the pipelines should pass with or without this new configure-time option. But i'm not yet fully happy with functionality & negative tests coverage. I will add more tests, but the feature code is otherwise ready for review and comments, as it appears to behave the way I described above.

## Checklist
 * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author
 * [ ] Code modified for feature
 * [ ] Test suite updated with functionality tests
 * [ ] Test suite updated with negative tests
 * [ ] Documentation updated / NEWS entry present (for non-trivial changes)
 * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout)

## Reviewer's checklist:
 * [ ] Any issues marked for closing are addressed
 * [ ] There is a test suite reasonably covering new functionality or modifications
 * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md`
 * [ ] This feature/change has adequate documentation added
 * [ ] No obvious mistakes in the code

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1157
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200106/43da74e4/attachment.html>

More information about the Gnutls-devel mailing list