Switch the default TLS 1.3 variant to tls13_rfc.
Update-Note: If not explicitly configured to use tls13_all, callers that enable
TLS 1.3 will now only enable the final standard version.
Change-Id: Ifcfc65a9d8782c983df6e002925e8f77f45b6e53
Reviewed-on: https://boringssl-review.googlesource.com/31384
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index c2afa15..daa58b0 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -3381,15 +3381,13 @@
OPENSSL_EXPORT int SSL_total_renegotiations(const SSL *ssl);
// tls13_variant_t determines what TLS 1.3 variant to negotiate.
-//
-// TODO(svaldez): Make |tls13_rfc| the default after callers are switched to
-// explicitly enable |tls13_all|.
enum tls13_variant_t {
- tls13_default = 0,
+ tls13_rfc = 0,
tls13_draft23,
tls13_draft28,
- tls13_rfc,
- tls13_all = tls13_default,
+ // tls13_all enables all variants of TLS 1.3, to keep the transition smooth as
+ // early adopters move to the final version.
+ tls13_all,
};
// SSL_CTX_set_tls13_variant sets which variant of TLS 1.3 we negotiate. On the
diff --git a/ssl/internal.h b/ssl/internal.h
index 14c871a..087f5fb 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -2794,7 +2794,7 @@
// tls13_variant is the variant of TLS 1.3 we are using for this
// configuration.
- tls13_variant_t tls13_variant = tls13_default;
+ tls13_variant_t tls13_variant = tls13_rfc;
bssl::UniquePtr<bssl::SSLCipherPreferenceList> cipher_list;
@@ -3123,7 +3123,7 @@
// tls13_variant is the variant of TLS 1.3 we are using for this
// configuration.
- tls13_variant_t tls13_variant = tls13_default;
+ tls13_variant_t tls13_variant = tls13_rfc;
// session is the configured session to be offered by the client. This session
// is immutable.
diff --git a/ssl/ssl_versions.cc b/ssl/ssl_versions.cc
index 6f07b93..212c3ac 100644
--- a/ssl/ssl_versions.cc
+++ b/ssl/ssl_versions.cc
@@ -304,7 +304,7 @@
return version == TLS1_3_DRAFT28_VERSION;
case tls13_rfc:
return version == TLS1_3_VERSION;
- case tls13_default:
+ case tls13_all:
return true;
}
}
diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go
index cb77a73..702814d 100644
--- a/ssl/test/runner/common.go
+++ b/ssl/test/runner/common.go
@@ -39,10 +39,10 @@
)
const (
- TLS13Default = 0
+ TLS13RFC = 0
TLS13Draft23 = 1
TLS13Draft28 = 2
- TLS13RFC = 3
+ TLS13All = 3
)
var allTLSWireVersions = []uint16{
@@ -1772,7 +1772,7 @@
if wireVers != VersionTLS13 {
return 0, false
}
- case TLS13Default:
+ case TLS13All:
// Allow all of them.
default:
panic(c.TLS13Variant)
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 5955eda..6bbaecf 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -1024,8 +1024,7 @@
panic(fmt.Sprintf("The name of test %q suggests that it's version specific, but min/max version in the Config is %x/%x. One of them should probably be %x", test.name, test.config.MinVersion, test.config.MaxVersion, ver.version))
}
- // Ignore this check against "TLS13", since TLS13 is used in many test names.
- if ver.tls13Variant != 0 && ver.tls13Variant != TLS13RFC {
+ if ver.tls13Variant != 0 {
var foundFlag bool
for _, flag := range test.flags {
if flag == "-tls13-variant" {
@@ -1418,11 +1417,11 @@
return allVersions(protocol)
}
tls13Default := tlsVersion{
- name: "TLS13Default",
+ name: "TLS13All",
version: VersionTLS13,
excludeFlag: "-no-tls13",
versionWire: 0,
- tls13Variant: TLS13Default,
+ tls13Variant: TLS13All,
}
var shimVersions []tlsVersion
@@ -5581,7 +5580,7 @@
}
if expectedVersion == VersionTLS13 && runnerVers.tls13Variant != shimVers.tls13Variant {
- if shimVers.tls13Variant != TLS13Default {
+ if shimVers.tls13Variant != TLS13All {
expectedVersion = VersionTLS12
}
}
@@ -5782,7 +5781,7 @@
name: "IgnoreClientVersionOrder",
config: Config{
Bugs: ProtocolBugs{
- SendSupportedVersions: []uint16{VersionTLS12, tls13Draft23Version},
+ SendSupportedVersions: []uint16{VersionTLS12, VersionTLS13},
},
},
expectedVersion: VersionTLS13,
diff --git a/tool/client.cc b/tool/client.cc
index 9012993..80acf34 100644
--- a/tool/client.cc
+++ b/tool/client.cc
@@ -341,6 +341,10 @@
*out = tls13_rfc;
return true;
}
+ if (in == "all") {
+ *out = tls13_all;
+ return true;
+ }
return false;
}
diff --git a/tool/server.cc b/tool/server.cc
index 824538a..c4b23bf 100644
--- a/tool/server.cc
+++ b/tool/server.cc
@@ -161,6 +161,10 @@
*out = tls13_rfc;
return true;
}
+ if (in == "all") {
+ *out = tls13_all;
+ return true;
+ }
return false;
}
