Compiled-in, yet unsupported by default, TLS versions
Add a new configure time option which will mark TLS versions prior to v1.2.
This will still compile-in TLS1.0/1.1 DTLS0.9/1.0 support, however it will have supported=0. Meaning that, even though it is selected by the priority string (eg. NORMAL or +VERS-TLS1.0) it would not be usable, unless supported-version = tls1.0 is also specified in the config file.
Note this is a "soft" enable, if the priority string did not elect TLS1.0 supported-version = tls1.0 will not enable it (ie. priority string -VERS-TLS-ALL:+VERS-TLS1.3 will not gain tls1.0 just because supported-version=tls1.0 is declared).
Similarly disabled-version continues to blacklist the algorithm, and suppored-version will not be enabled.
The overall goal, is to bring GnuTLS on par with OpenSSL in Debian/Ubuntu, where TLS1.0/1.1 are disabled by default, yet user-admin can enable it back on with a configuration file. Unlike Debian, however, Ubuntu would like to achieve as a compiled-in default without any configuration files. Meaning config file should only be needed to be created to turn tls1.0/1.1 back, but by default library without config files does not use tls1.0/1.1.
Add a description of the new feature/bug fix. Reference any relevant bugs.
This is a bit work in progress. I believe the pipelines should pass with or without this new configure-time option. But i'm not yet fully happy with functionality & negative tests coverage. I will add more tests, but the feature code is otherwise ready for review and comments, as it appears to behave the way I described above.
Checklist
-
Commits have Signed-off-by:
with name/author being identical to the commit author -
Code modified for feature -
Test suite updated with functionality tests -
Test suite updated with negative tests -
Documentation updated / NEWS entry present (for non-trivial changes) -
CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout)
Reviewer's checklist:
-
Any issues marked for closing are addressed -
There is a test suite reasonably covering new functionality or modifications -
Function naming, parameters, return values, types, etc., are consistent and according to CONTRIBUTION.md
-
This feature/change has adequate documentation added -
No obvious mistakes in the code