Enable TLS 1.3 by default. Update-Note: If calling code does not work with TLS 1.3, the simplest fix is to call SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION). Change-Id: Ic99861753dac117c52aea1988a6c4227a32984ca Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/38624 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: David Benjamin <davidben@google.com>
diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc index c01443e..8fbf698 100644 --- a/ssl/ssl_test.cc +++ b/ssl/ssl_test.cc
@@ -888,8 +888,7 @@ } TEST(SSLTest, DefaultVersion) { - // TODO(svaldez): Update this when TLS 1.3 is enabled by default. - ExpectDefaultVersion(TLS1_VERSION, TLS1_2_VERSION, &TLS_method); + ExpectDefaultVersion(TLS1_VERSION, TLS1_3_VERSION, &TLS_method); ExpectDefaultVersion(TLS1_VERSION, TLS1_VERSION, &TLSv1_method); ExpectDefaultVersion(TLS1_1_VERSION, TLS1_1_VERSION, &TLSv1_1_method); ExpectDefaultVersion(TLS1_2_VERSION, TLS1_2_VERSION, &TLSv1_2_method); @@ -2690,7 +2689,7 @@ // Zero is the default version. EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0)); - EXPECT_EQ(TLS1_2_VERSION, SSL_CTX_get_max_proto_version(ctx.get())); + EXPECT_EQ(TLS1_3_VERSION, SSL_CTX_get_max_proto_version(ctx.get())); EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0)); EXPECT_EQ(TLS1_VERSION, SSL_CTX_get_min_proto_version(ctx.get())); @@ -3775,8 +3774,8 @@ } TEST(SSLTest, SealRecord) { - bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method())), - server_ctx(SSL_CTX_new(TLS_method())); + bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLSv1_2_method())), + server_ctx(SSL_CTX_new(TLSv1_2_method())); ASSERT_TRUE(client_ctx); ASSERT_TRUE(server_ctx); @@ -3818,8 +3817,8 @@ } TEST(SSLTest, SealRecordInPlace) { - bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method())), - server_ctx(SSL_CTX_new(TLS_method())); + bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLSv1_2_method())), + server_ctx(SSL_CTX_new(TLSv1_2_method())); ASSERT_TRUE(client_ctx); ASSERT_TRUE(server_ctx); @@ -3856,8 +3855,8 @@ } TEST(SSLTest, SealRecordTrailingData) { - bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method())), - server_ctx(SSL_CTX_new(TLS_method())); + bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLSv1_2_method())), + server_ctx(SSL_CTX_new(TLSv1_2_method())); ASSERT_TRUE(client_ctx); ASSERT_TRUE(server_ctx); @@ -3895,8 +3894,8 @@ } TEST(SSLTest, SealRecordInvalidSpanSize) { - bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method())), - server_ctx(SSL_CTX_new(TLS_method())); + bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLSv1_2_method())), + server_ctx(SSL_CTX_new(TLSv1_2_method())); ASSERT_TRUE(client_ctx); ASSERT_TRUE(server_ctx);
diff --git a/ssl/ssl_versions.cc b/ssl/ssl_versions.cc index e63a189..d95aeb3 100644 --- a/ssl/ssl_versions.cc +++ b/ssl/ssl_versions.cc
@@ -150,7 +150,7 @@ uint16_t version) { // Zero is interpreted as the default maximum version. if (version == 0) { - *out = method->is_dtls ? DTLS1_2_VERSION : TLS1_2_VERSION; + *out = method->is_dtls ? DTLS1_2_VERSION : TLS1_3_VERSION; return true; }
diff --git a/ssl/test/fuzzer.h b/ssl/test/fuzzer.h index f714d5d..f10c4a0 100644 --- a/ssl/test/fuzzer.h +++ b/ssl/test/fuzzer.h
@@ -409,10 +409,6 @@ if (!SSL_CTX_set_strict_cipher_list(ctx_.get(), "ALL:NULL-SHA")) { return false; } - if (protocol_ == kTLS && - !SSL_CTX_set_max_proto_version(ctx_.get(), TLS1_3_VERSION)) { - return false; - } static const int kCurves[] = {NID_CECPQ2, NID_X25519, NID_X9_62_prime256v1, NID_secp384r1, NID_secp521r1};
diff --git a/ssl/test/test_config.cc b/ssl/test/test_config.cc index a4a37e6..585e3fd 100644 --- a/ssl/test/test_config.cc +++ b/ssl/test/test_config.cc
@@ -1143,12 +1143,6 @@ CRYPTO_once(&once, init_once); SSL_CTX_set0_buffer_pool(ssl_ctx.get(), g_pool); - // Enable TLS 1.3 for tests. - if (!is_dtls && - !SSL_CTX_set_max_proto_version(ssl_ctx.get(), TLS1_3_VERSION)) { - return nullptr; - } - std::string cipher_list = "ALL"; if (!cipher.empty()) { cipher_list = cipher;