On Wed, May 13, 2020 at 01:27:43AM +0300, Pavel Korovin wrote:
> Dear all,
>
> After compiling/upgrading to the latest source with TLSv1.3 server code
> enabled,
> I've got Firefox SSL_ERROR_RX_MALFORMED_SERVER_HELLO when tried to access http
> serviced by relayd.
> Please find the diff for relayd(8) attached.
>
> Qualys SSL report for the box:
> https://www.ssllabs.com/ssltest/analyze.html?d=waste.tristero.se&s=2001%3a470%3a1f15%3a1492%3a0%3a0%3a0%3a2
>
> --
> With best regards,
> Pavel Korovin
I think the default should match libtls and also include TLSFLAG_TLSV1_2
(see comment below). I have tested this patch with that modified and as
far as I can tell, it works as intended and expected. Unless somebody
speaks up, this is
ok tb
Please commit the manpage patch below along with it.
> Index: parse.y
> ===================================================================
> RCS file: /cvs/src/usr.sbin/relayd/parse.y,v
> retrieving revision 1.244
> diff -u -p -r1.244 parse.y
> --- parse.y 12 Feb 2020 21:15:44 -0000 1.244
> +++ parse.y 12 May 2020 22:26:09 -0000
> @@ -1355,6 +1355,8 @@ flag : STRING {
> $$ = TLSFLAG_TLSV1_1;
> else if (strcmp("tlsv1.2", $1) == 0)
> $$ = TLSFLAG_TLSV1_2;
> + else if (strcmp("tlsv1.3", $1) == 0)
> + $$ = TLSFLAG_TLSV1_3;
> else if (strcmp("cipher-server-preference", $1) == 0)
> $$ = TLSFLAG_CIPHER_SERVER_PREF;
> else if (strcmp("client-renegotiation", $1) == 0)
> Index: relay.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/relayd/relay.c,v
> retrieving revision 1.250
> diff -u -p -r1.250 relay.c
> --- relay.c 13 Jul 2019 06:53:00 -0000 1.250
> +++ relay.c 12 May 2020 22:26:09 -0000
> @@ -2066,6 +2066,8 @@ relay_tls_ctx_create_proto(struct protoc
> protocols |= TLS_PROTOCOL_TLSv1_1;
> if (proto->tlsflags & TLSFLAG_TLSV1_2)
> protocols |= TLS_PROTOCOL_TLSv1_2;
> + if (proto->tlsflags & TLSFLAG_TLSV1_3)
> + protocols |= TLS_PROTOCOL_TLSv1_3;
> if (tls_config_set_protocols(tls_cfg, protocols) == -1) {
> log_warnx("could not set the TLS protocol: %s",
> tls_config_error(tls_cfg));
> Index: relayd.h
> ===================================================================
> RCS file: /cvs/src/usr.sbin/relayd/relayd.h,v
> retrieving revision 1.260
> diff -u -p -r1.260 relayd.h
> --- relayd.h 15 Sep 2019 19:23:29 -0000 1.260
> +++ relayd.h 12 May 2020 22:26:09 -0000
> @@ -695,15 +695,16 @@ TAILQ_HEAD(relay_rules, relay_rule);
> #define TLSFLAG_TLSV1_0 0x02
> #define TLSFLAG_TLSV1_1 0x04
> #define TLSFLAG_TLSV1_2 0x08
> -#define TLSFLAG_TLSV1 0x0e
> +#define TLSFLAG_TLSV1_3 0x10
> +#define TLSFLAG_TLSV1 0x1e
> #define TLSFLAG_VERSION 0x1f
> #define TLSFLAG_CIPHER_SERVER_PREF 0x20
> #define TLSFLAG_CLIENT_RENEG 0x40
> #define TLSFLAG_DEFAULT \
> - (TLSFLAG_TLSV1_2|TLSFLAG_CIPHER_SERVER_PREF)
> + (TLSFLAG_TLSV1_3|TLSFLAG_CIPHER_SERVER_PREF)
#define TLSFLAG_DEFAULT \
(TLSFLAG_TLSV1_2|TLSFLAG_TLSV1_3|TLSFLAG_CIPHER_SERVER_PREF)
>
> #define TLSFLAG_BITS \
> - "\06\01sslv3\02tlsv1.0\03tlsv1.1\04tlsv1.2" \
> + "\06\01sslv3\02tlsv1.0\03tlsv1.1\04tlsv1.2\05tlsv1.3" \
> "\06cipher-server-preference\07client-renegotiation"
>
> #define TLSCIPHERS_DEFAULT "HIGH:!aNULL"
Index: relayd.conf.5
===================================================================
RCS file: /var/cvs/src/usr.sbin/relayd/relayd.conf.5,v
retrieving revision 1.196
diff -u -p -r1.196 relayd.conf.5
--- relayd.conf.5 2 May 2020 19:02:57 -0000 1.196
+++ relayd.conf.5 14 May 2020 05:48:10 -0000
@@ -1015,6 +1015,9 @@ Disable TLS session tickets.
supports stateless TLS session tickets (RFC 5077) to implement TLS session
resumption.
The default is to enable session tickets.
+.It Ic no tlsv1.3
+Disable the TLSv1.3 protocol.
+The default is to enable TLSv1.3.
.It Ic no tlsv1.2
Disable the TLSv1.2 protocol.
The default is to enable TLSv1.2.
@@ -1027,8 +1030,9 @@ Enable all TLSv1 protocols.
This is an alias that includes
.Ic tlsv1.0 ,
.Ic tlsv1.1 ,
+.Ic tlsv1.2 ,
and
-.Ic tlsv1.2 .
+.Ic tlsv1.3 .
The default is
.Ic no tlsv1 .
.It Ic tlsv1.0
