From 409b9a60c6cdae88519adf23fad72a69f76f3ba3 Mon Sep 17 00:00:00 2001
From: Loganaden Velvindron <address@hidden>
Date: Sun, 11 Jun 2017 18:12:50 +0400
Subject: [PATCH 1/3] Add TLS 1.3 support for OpenSSL following draft-18.

Signed-off-by: Loganaden Velvindron <address@hidden>
---
 src/init.c    |  1 +
 src/openssl.c | 16 ++++++++++++++++
 src/options.h |  1 +
 3 files changed, 18 insertions(+)

diff --git a/src/init.c b/src/init.c
index 5f4eefa9..8f2e4427 100644
--- a/src/init.c
+++ b/src/init.c
@@ -1683,6 +1683,7 @@ cmd_spec_secure_protocol (const char *com, const char *val, void *place)
     { "tlsv1", secure_protocol_tlsv1 },
     { "tlsv1_1", secure_protocol_tlsv1_1 },
     { "tlsv1_2", secure_protocol_tlsv1_2 },
+    { "tlsv1_3", secure_protocol_tlsv1_3 },
     { "pfs", secure_protocol_pfs },
   };
   int ok = decode_string (val, choices, countof (choices), place);
diff --git a/src/openssl.c b/src/openssl.c
index 0404d2d0..fefc94f3 100644
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -240,6 +240,19 @@ ssl_init (void)
     case secure_protocol_tlsv1_2:
       meth = TLSv1_2_client_method ();
       break;
+    case secure_protocol_tlsv1_3:
+#ifdef TLS1_3_VERSION
+      meth = TLS_client_method ();
+      ssl_options |= SSL_OP_NO_SSLv2;
+      ssl_options |= SSL_OP_NO_SSLv3;
+      ssl_options |= SSL_OP_NO_TLSv1;
+      ssl_options |= SSL_OP_NO_TLSv1_1;
+      ssl_options |= SSL_OP_NO_TLSv1_2;
+      break;
+#else
+      logprintf (LOG_NOTQUIET, _("Your OpenSSL version hasn't been compiled with TLS 1.3 support\n"));
+      goto error;
+#endif
 #else
     case secure_protocol_tlsv1_1:
       logprintf (LOG_NOTQUIET, _("Your OpenSSL version is too old to support TLSv1.1\n"));
@@ -248,6 +261,9 @@ ssl_init (void)
     case secure_protocol_tlsv1_2:
       logprintf (LOG_NOTQUIET, _("Your OpenSSL version is too old to support TLSv1.2\n"));
       goto error;
+    case secure_protocol_tlsv1_3:
+      logprintf (LOG_NOTQUIET, _("Your OpenSSL version is too old to support TLSv1.3\n"));
+      goto error;
 #endif
 
     default:
diff --git a/src/options.h b/src/options.h
index 39729459..44378fd6 100644
--- a/src/options.h
+++ b/src/options.h
@@ -230,6 +230,7 @@ struct options
     secure_protocol_tlsv1,
     secure_protocol_tlsv1_1,
     secure_protocol_tlsv1_2,
+    secure_protocol_tlsv1_3,
     secure_protocol_pfs
   } secure_protocol;            /* type of secure protocol to use. */
   int check_cert;               /* whether to validate the server's cert */
-- 
2.11.0