From 1ac9aa70852d67b71797d7bbcd97152b11c26334 Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Sun, 28 May 2017 10:46:38 +0300 Subject: [PATCH 1/2] Set correct minimal versions in default conf Set `MBEDTLS_SSL_MIN_MAJOR_VERSION` and `MBEDTLS_SSL_MIN_MINOR_VERSION` instead of `MBEDTLS_SSL_MAJOR_VERSION_3` and `MBEDTLS_SSL_MINOR_VERSION_1` --- ChangeLog | 4 ++++ include/mbedtls/ssl_internal.h | 3 +++ library/ssl_tls.c | 10 ++++++++-- 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index ed7818e30..aa98f7f6b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -62,6 +62,10 @@ Bugfix * Fix issue in RSA key generation program programs/x509/rsa_genkey where the failure of CTR DRBG initialization lead to freeing an RSA context without proper initialization beforehand. + * Fix setting version TLSv1 as minimal version, even if TLS 1 + is not enabled. Set `MBEDTLS_SSL_MIN_MAJOR_VERSION` + and `MBEDTLS_SSL_MIN_MINOR_VERSION` instead + of `MBEDTLS_SSL_MAJOR_VERSION_3` and `MBEDTLS_SSL_MINOR_VERSION_1` Changes * Extend cert_write example program by options to set the CRT version diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index 0c93a748e..8bbe0b7b4 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -65,6 +65,9 @@ #endif /* MBEDTLS_SSL_PROTO_TLS1 */ #endif /* MBEDTLS_SSL_PROTO_SSL3 */ +#define MBEDTLS_SSL_MIN_VALID_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1 +#define MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3 + /* Determine maximum supported version */ #define MBEDTLS_SSL_MAX_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3 diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 860ae2937..942e08357 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -7335,8 +7335,14 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, * Default */ default: - conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3; - conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_1; /* TLS 1.0 */ + conf->min_major_ver = ( MBEDTLS_SSL_MIN_MAJOR_VERSION > + MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION ) ? + MBEDTLS_SSL_MIN_MAJOR_VERSION : + MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION; + conf->min_minor_ver = ( MBEDTLS_SSL_MIN_MINOR_VERSION > + MBEDTLS_SSL_MIN_VALID_MINOR_VERSION ) ? + MBEDTLS_SSL_MIN_MINOR_VERSION : + MBEDTLS_SSL_MIN_VALID_MINOR_VERSION; conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION; conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION; From b1e6efd55df2988a65b88fef6dc68f3792c94a94 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sun, 11 Mar 2018 00:35:39 +0100 Subject: [PATCH 2/2] This fixes #664 --- ChangeLog | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index aa98f7f6b..a6664f7ab 100644 --- a/ChangeLog +++ b/ChangeLog @@ -63,9 +63,9 @@ Bugfix where the failure of CTR DRBG initialization lead to freeing an RSA context without proper initialization beforehand. * Fix setting version TLSv1 as minimal version, even if TLS 1 - is not enabled. Set `MBEDTLS_SSL_MIN_MAJOR_VERSION` - and `MBEDTLS_SSL_MIN_MINOR_VERSION` instead - of `MBEDTLS_SSL_MAJOR_VERSION_3` and `MBEDTLS_SSL_MINOR_VERSION_1` + is not enabled. Set MBEDTLS_SSL_MIN_MAJOR_VERSION + and MBEDTLS_SSL_MIN_MINOR_VERSION instead of + MBEDTLS_SSL_MAJOR_VERSION_3 and MBEDTLS_SSL_MINOR_VERSION_1. #664 Changes * Extend cert_write example program by options to set the CRT version