Always define TLSv3

Author: amousset

Cargo.toml

@@ -24,7 +24,7 @@ libc = "0.2"
 tempfile = "3.1.0"
 
 [target.'cfg(target_os = "windows")'.dependencies]
-schannel = "0.1.17"
+schannel = "0.1.20"
 
 [target.'cfg(not(any(target_os = "windows", target_os = "macos", target_os = "ios")))'.dependencies]
 log = "0.4.5"

src/imp/openssl.rs

@@ -23,22 +23,24 @@ fn supported_protocols(
     min: Option<Protocol>,
     max: Option<Protocol>,
     ctx: &mut SslContextBuilder,
-) -> Result<(), ErrorStack> {
+) -> Result<(), Error> {
     use self::openssl::ssl::SslVersion;
 
-    fn cvt(p: Protocol) -> SslVersion {
+    fn cvt(p: Protocol) -> Result<SslVersion, Error> {
         match p {
-            Protocol::Sslv3 => SslVersion::SSL3,
-            Protocol::Tlsv10 => SslVersion::TLS1,
-            Protocol::Tlsv11 => SslVersion::TLS1_1,
-            Protocol::Tlsv12 => SslVersion::TLS1_2,
+            Protocol::Sslv3 => Ok(SslVersion::SSL3),
+            Protocol::Tlsv10 => Ok(SslVersion::TLS1),
+            Protocol::Tlsv11 => Ok(SslVersion::TLS1_1),
+            Protocol::Tlsv12 => Ok(SslVersion::TLS1_2),
             #[cfg(have_tls13_version)]
-            Protocol::Tlsv13 => SslVersion::TLS1_3,
+            Protocol::Tlsv13 => Ok(SslVersion::TLS1_3),
+            #[cfg(not(have_tls13_version))]
+            Protocol::Tlsv13 => Err(Error::UnsupportedTls13)
         }
     }
 
-    ctx.set_min_proto_version(min.map(cvt))?;
-    ctx.set_max_proto_version(max.map(cvt))?;
+    ctx.set_min_proto_version(min.map(cvt).transpose()?)?;
+    ctx.set_max_proto_version(max.map(cvt).transpose()?)?;
 
     Ok(())
 }
@@ -117,6 +119,7 @@ pub enum Error {
     Ssl(ssl::Error, X509VerifyResult),
     EmptyChain,
     NotPkcs8,
+    UnsupportedTls13,
 }
 
 impl error::Error for Error {
@@ -126,6 +129,7 @@ impl error::Error for Error {
             Error::Ssl(ref e, _) => error::Error::source(e),
             Error::EmptyChain => None,
             Error::NotPkcs8 => None,
+            Error::UnsupportedTls13 => None,
         }
     }
 }
@@ -141,6 +145,7 @@ impl fmt::Display for Error {
                 "at least one certificate must be provided to create an identity"
             ),
             Error::NotPkcs8 => write!(fmt, "expected PKCS#8 PEM"),
+            Error::UnsupportedTls13 => write!(fmt, "TLS version 1.3 not supported"),
         }
     }
 }

src/imp/schannel.rs

@@ -19,6 +19,7 @@ static PROTOCOLS: &'static [Protocol] = &[
     Protocol::Tls10,
     Protocol::Tls11,
     Protocol::Tls12,
+    Protocol::Tls13,
 ];
 
 fn convert_protocols(min: Option<::Protocol>, max: Option<::Protocol>) -> &'static [Protocol] {

src/imp/security_framework.rs

@@ -43,12 +43,14 @@ static SET_AT_EXIT: Once = Once::new();
 #[cfg(not(target_os = "ios"))]
 static TEMP_KEYCHAIN: Lazy<Mutex<Option<(SecKeychain, TempDir)>>> = Lazy::new(|| Mutex::new(None));
 
-fn convert_protocol(protocol: Protocol) -> SslProtocol {
+fn convert_protocol(protocol: Protocol) -> Result<SslProtocol, Error> {
     match protocol {
-        Protocol::Sslv3 => SslProtocol::SSL3,
-        Protocol::Tlsv10 => SslProtocol::TLS1,
-        Protocol::Tlsv11 => SslProtocol::TLS11,
-        Protocol::Tlsv12 => SslProtocol::TLS12,
+        Protocol::Sslv3 => Ok(SslProtocol::SSL3),
+        Protocol::Tlsv10 => Ok(SslProtocol::TLS1),
+        Protocol::Tlsv11 => Ok(SslProtocol::TLS11),
+        Protocol::Tlsv12 => Ok(SslProtocol::TLS12),
+        // Not supported in SecureTransport API used in security_framework
+        Protocol::Tlsv13 => Err(Error(base::Error::from("TLS 1.3 is not supported")))
     }
 }
 

src/lib.rs

@@ -324,8 +324,8 @@ pub enum Protocol {
     Tlsv12,
     /// The TLS 1.3 protocol.
     ///
-    /// Requires OpenSSL 1.1.1 or LibreSSL 3.4.0 or newer.
-    #[cfg(have_tls13_version)]
+    /// Only works on Windows, or with openssl >= 1.1.1 or libressl >= 3.4.0.
+    /// It will fail at runtime when used in other situations.
     Tlsv13,
 }