Enable TLS 1.3 by default.
Update-Note: If calling code does not work with TLS 1.3, the simplest
fix is to call SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION).
Change-Id: Ic99861753dac117c52aea1988a6c4227a32984ca
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/38624
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc
index c01443e..8fbf698 100644
--- a/ssl/ssl_test.cc
+++ b/ssl/ssl_test.cc
@@ -888,8 +888,7 @@
}
TEST(SSLTest, DefaultVersion) {
- // TODO(svaldez): Update this when TLS 1.3 is enabled by default.
- ExpectDefaultVersion(TLS1_VERSION, TLS1_2_VERSION, &TLS_method);
+ ExpectDefaultVersion(TLS1_VERSION, TLS1_3_VERSION, &TLS_method);
ExpectDefaultVersion(TLS1_VERSION, TLS1_VERSION, &TLSv1_method);
ExpectDefaultVersion(TLS1_1_VERSION, TLS1_1_VERSION, &TLSv1_1_method);
ExpectDefaultVersion(TLS1_2_VERSION, TLS1_2_VERSION, &TLSv1_2_method);
@@ -2690,7 +2689,7 @@
// Zero is the default version.
EXPECT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), 0));
- EXPECT_EQ(TLS1_2_VERSION, SSL_CTX_get_max_proto_version(ctx.get()));
+ EXPECT_EQ(TLS1_3_VERSION, SSL_CTX_get_max_proto_version(ctx.get()));
EXPECT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), 0));
EXPECT_EQ(TLS1_VERSION, SSL_CTX_get_min_proto_version(ctx.get()));
@@ -3775,8 +3774,8 @@
}
TEST(SSLTest, SealRecord) {
- bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method())),
- server_ctx(SSL_CTX_new(TLS_method()));
+ bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLSv1_2_method())),
+ server_ctx(SSL_CTX_new(TLSv1_2_method()));
ASSERT_TRUE(client_ctx);
ASSERT_TRUE(server_ctx);
@@ -3818,8 +3817,8 @@
}
TEST(SSLTest, SealRecordInPlace) {
- bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method())),
- server_ctx(SSL_CTX_new(TLS_method()));
+ bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLSv1_2_method())),
+ server_ctx(SSL_CTX_new(TLSv1_2_method()));
ASSERT_TRUE(client_ctx);
ASSERT_TRUE(server_ctx);
@@ -3856,8 +3855,8 @@
}
TEST(SSLTest, SealRecordTrailingData) {
- bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method())),
- server_ctx(SSL_CTX_new(TLS_method()));
+ bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLSv1_2_method())),
+ server_ctx(SSL_CTX_new(TLSv1_2_method()));
ASSERT_TRUE(client_ctx);
ASSERT_TRUE(server_ctx);
@@ -3895,8 +3894,8 @@
}
TEST(SSLTest, SealRecordInvalidSpanSize) {
- bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_method())),
- server_ctx(SSL_CTX_new(TLS_method()));
+ bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLSv1_2_method())),
+ server_ctx(SSL_CTX_new(TLSv1_2_method()));
ASSERT_TRUE(client_ctx);
ASSERT_TRUE(server_ctx);
diff --git a/ssl/ssl_versions.cc b/ssl/ssl_versions.cc
index e63a189..d95aeb3 100644
--- a/ssl/ssl_versions.cc
+++ b/ssl/ssl_versions.cc
@@ -150,7 +150,7 @@
uint16_t version) {
// Zero is interpreted as the default maximum version.
if (version == 0) {
- *out = method->is_dtls ? DTLS1_2_VERSION : TLS1_2_VERSION;
+ *out = method->is_dtls ? DTLS1_2_VERSION : TLS1_3_VERSION;
return true;
}
diff --git a/ssl/test/fuzzer.h b/ssl/test/fuzzer.h
index f714d5d..f10c4a0 100644
--- a/ssl/test/fuzzer.h
+++ b/ssl/test/fuzzer.h
@@ -409,10 +409,6 @@
if (!SSL_CTX_set_strict_cipher_list(ctx_.get(), "ALL:NULL-SHA")) {
return false;
}
- if (protocol_ == kTLS &&
- !SSL_CTX_set_max_proto_version(ctx_.get(), TLS1_3_VERSION)) {
- return false;
- }
static const int kCurves[] = {NID_CECPQ2, NID_X25519, NID_X9_62_prime256v1,
NID_secp384r1, NID_secp521r1};
diff --git a/ssl/test/test_config.cc b/ssl/test/test_config.cc
index a4a37e6..585e3fd 100644
--- a/ssl/test/test_config.cc
+++ b/ssl/test/test_config.cc
@@ -1143,12 +1143,6 @@
CRYPTO_once(&once, init_once);
SSL_CTX_set0_buffer_pool(ssl_ctx.get(), g_pool);
- // Enable TLS 1.3 for tests.
- if (!is_dtls &&
- !SSL_CTX_set_max_proto_version(ssl_ctx.get(), TLS1_3_VERSION)) {
- return nullptr;
- }
-
std::string cipher_list = "ALL";
if (!cipher.empty()) {
cipher_list = cipher;