ghost
commented
5 years ago Thinking about this a little more, it might be better as a compile-time option.
Closed ghost closed 5 years ago
ghost
commented
5 years ago Thinking about this a little more, it might be better as a compile-time option.
tanabi
commented
5 years ago Agreed, this should be a compile time option. I'm pretty sure you can't switch TLS versions on the fly without some fancy dlopening (though I could be wrong).
I'd recommend doing like '--force-tls-12' or something as a configure option.
tanabi
commented
5 years ago @whislock can you test this out?
Compile thusly:
./configure --enable-force-tls12 --with-sslwith whatever other options you want.
ghost
commented
5 years ago That did the trick! Thanks again!
Debian and Ubuntu ship tinyfugue packages that are compiled against GnuTLS by way of an OpenSSL-to-GnuTLS shim library. That shim library does not appear to support TLSv1.3.
New deployments or updates of fuzzball compiled on any recent Linux distribution (Debian buster, Ubuntu 18.04 LTS, etc.) do include TLSv1.3 support, courtesy of OpenSSL.
Connecting to a TLSv1.3-enabled fuzzball server from a Debian/Ubuntu GnuTLS-built tinyfugue client results in the connection being instantly dropped.
Is there any way to add a tune for maximum TLS version that the server will support, so that it can be limited to TLSv1.2, and not break those clients?