1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-24 09:08:49 -05:00

OpenSSL: enable TLS 1.3 post-handshake auth

OpenSSL 1.1.1 requires clients to opt-in for post-handshake
authentication.

Fixes: https://github.com/curl/curl/issues/3026
Signed-off-by: Christian Heimes <christian@python.org>

Closes https://github.com/curl/curl/pull/3027
This commit is contained in:
Christian Heimes 2018-09-21 10:37:43 +02:00 committed by Daniel Stenberg
parent 55b51b8c49
commit b939bc47b2
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2

View File

@ -177,6 +177,7 @@
!defined(LIBRESSL_VERSION_NUMBER) && \ !defined(LIBRESSL_VERSION_NUMBER) && \
!defined(OPENSSL_IS_BORINGSSL)) !defined(OPENSSL_IS_BORINGSSL))
#define HAVE_SSL_CTX_SET_CIPHERSUITES #define HAVE_SSL_CTX_SET_CIPHERSUITES
#define HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
#endif #endif
#if defined(LIBRESSL_VERSION_NUMBER) #if defined(LIBRESSL_VERSION_NUMBER)
@ -2467,6 +2468,11 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
} }
#endif #endif
#ifdef HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
/* OpenSSL 1.1.1 requires clients to opt-in for PHA */
SSL_CTX_set_post_handshake_auth(BACKEND->ctx, 1);
#endif
#ifdef USE_TLS_SRP #ifdef USE_TLS_SRP
if(ssl_authtype == CURL_TLSAUTH_SRP) { if(ssl_authtype == CURL_TLSAUTH_SRP) {
char * const ssl_username = SSL_SET_OPTION(username); char * const ssl_username = SSL_SET_OPTION(username);