Force TLSv1.2 for LibreSSL 3.2.1 and later

TLSv1.3 support is still incomplete but yet enabled.
sfackler · Dec 6, 2020 · 7be936a · 7be936a
1 parent 8e585e2
commit 7be936a
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 4 deletions.
diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs
@@ -203,8 +203,8 @@ bitflags! {
 
         /// Disables the use of TLSv1.3.
         ///
-        /// Requires OpenSSL 1.1.1 or LibreSSL 3.2.1 or newer.
-        #[cfg(any(ossl111, libressl321))]
+        /// Requires OpenSSL 1.1.1 or newer.
+        #[cfg(ossl111)]
         const NO_TLSV1_3 = ffi::SSL_OP_NO_TLSv1_3;
 
         /// Disables the use of DTLSv1.0
@@ -3972,7 +3972,13 @@ cfg_if! {
 }
 
 cfg_if! {
-    if #[cfg(any(ossl110, libressl291))] {
+    /// LibreSSL 3.2.1 and later's TLSv1.3 support is incomplete
+    if #[cfg(libressl321)] {
+        use ffi::{
+            TLSv1_2_method as TLS_method, DTLS_method, TLSv1_2_client_method as TLS_client_method,
+            TLSv1_2_server_method as TLS_server_method,
+        };
+    } else if #[cfg(any(ossl110, libressl291))] {
         use ffi::{TLS_method, DTLS_method, TLS_client_method, TLS_server_method};
     } else {
         use ffi::{

diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs
@@ -903,7 +903,7 @@ fn tmp_dh_callback_ssl() {
 
     let mut client = server.client();
     // TLS 1.3 has no DH suites, so make sure we don't pick that version
-    #[cfg(any(ossl111, libressl321))]
+    #[cfg(ossl111)]
     client.ctx().set_options(super::SslOptions::NO_TLSV1_3);
     client.ctx().set_cipher_list("EDH").unwrap();
     client.connect();