tls: remove support for TLS 1.0 and 1.1.

Those old algorithms are not used anywhere, and are not recommended. TLS 1.2 support has been prevalent for over a decade.
author: Garrett D'Amore <garrett@damore.org> 2024-11-16 13:27:45 -0800
committer: Garrett D'Amore <garrett@damore.org> 2024-11-16 13:53:28 -0800
commit: 1ca297dd9cd5daaab9be45d210f0f4df814cea03 (patch)
tree: a02dfe064e3a768b976407af62ab988202dcef9c /src/supplemental/tls
parent: 9ecd18c0089195ad914f68137e7671c267e55a99 (diff)
download: nng-1ca297dd9cd5daaab9be45d210f0f4df814cea03.tar.gz
nng-1ca297dd9cd5daaab9be45d210f0f4df814cea03.tar.bz2
nng-1ca297dd9cd5daaab9be45d210f0f4df814cea03.zip
3 files changed, 8 insertions, 44 deletions
diff --git a/src/supplemental/tls/mbedtls/tls.c b/src/supplemental/tls/mbedtls/tls.c
index 3dd39f7f..8b62cd7f 100644
--- a/src/supplemental/tls/mbedtls/tls.c
+++ b/src/supplemental/tls/mbedtls/tls.c
@@ -467,9 +467,8 @@ config_init(nng_tls_engine_config *cfg, enum nng_tls_mode mode)
 
 	mbedtls_ssl_conf_authmode(&cfg->cfg_ctx, auth_mode);
 
-	// Default: we *require* TLS v1.2 or newer, which is also known as
-	// SSL v3.3. As of this writing, Mbed TLS still does not support
-	// version 1.3, and we would want to test it before enabling it here.
+	// We *require* TLS v1.2 or newer, which is also known as SSL
+	// v3.3.
 	cfg->min_ver = MBEDTLS_SSL_MINOR_VERSION_3;
 #ifdef MBEDTLS_SSL_PROTO_TLS1_3
 	cfg->max_ver = MBEDTLS_SSL_MINOR_VERSION_4;
@@ -689,16 +688,6 @@ config_version(nng_tls_engine_config *cfg, nng_tls_version min_ver,
 		return (NNG_ENOTSUP);
 	}
 	switch (min_ver) {
-#ifdef MBEDTLS_SSL_MINOR_VERSION_1
-	case NNG_TLS_1_0:
-		v1 = MBEDTLS_SSL_MINOR_VERSION_1;
-		break;
-#endif
-#ifdef MBEDTLS_SSL_MINOR_VERSION_2
-	case NNG_TLS_1_1:
-		v1 = MBEDTLS_SSL_MINOR_VERSION_2;
-		break;
-#endif
 #ifdef MBEDTLS_SSL_MINOR_VERSION_3
 	case NNG_TLS_1_2:
 		v1 = MBEDTLS_SSL_MINOR_VERSION_3;
@@ -716,16 +705,6 @@ config_version(nng_tls_engine_config *cfg, nng_tls_version min_ver,
 	}
 
 	switch (max_ver) {
-#ifdef MBEDTLS_SSL_MINOR_VERSION_1
-	case NNG_TLS_1_0:
-		v2 = MBEDTLS_SSL_MINOR_VERSION_1;
-		break;
-#endif
-#ifdef MBEDTLS_SSL_MINOR_VERSION_2
-	case NNG_TLS_1_1:
-		v2 = MBEDTLS_SSL_MINOR_VERSION_2;
-		break;
-#endif
 #ifdef MBEDTLS_SSL_MINOR_VERSION_3
 	case NNG_TLS_1_2:
 		v2 = MBEDTLS_SSL_MINOR_VERSION_3;
diff --git a/src/supplemental/tls/tls_test.c b/src/supplemental/tls/tls_test.c
index 9317890d..5eb981ac 100644
--- a/src/supplemental/tls/tls_test.c
+++ b/src/supplemental/tls/tls_test.c
@@ -20,29 +20,20 @@ test_tls_config_version(void)
 	NUTS_PASS(nng_tls_config_alloc(&cfg, NNG_TLS_MODE_SERVER));
 
 	// Verify that min ver < max ver
-	NUTS_FAIL(nng_tls_config_version(cfg, NNG_TLS_1_3, NNG_TLS_1_0),
+	NUTS_FAIL(nng_tls_config_version(cfg, NNG_TLS_1_3, NNG_TLS_1_2),
 	    NNG_ENOTSUP);
 
-	// Verify that we cannot configure SSL 3.0 or older.
-	NUTS_FAIL(nng_tls_config_version(cfg, NNG_TLS_1_0 - 1, NNG_TLS_1_0),
+	// Verify that we cannot configure TLS 1.1 or older.
+	NUTS_FAIL(
+	    nng_tls_config_version(cfg, NNG_TLS_1_2 - 1, NNG_TLS_1_2 - 1),
 	    NNG_ENOTSUP);
 
 	// Verify that we cannot configure TLS > 1.3.
-	NUTS_FAIL(nng_tls_config_version(cfg, NNG_TLS_1_0, NNG_TLS_1_3 + 1),
+	NUTS_FAIL(nng_tls_config_version(cfg, NNG_TLS_1_2, NNG_TLS_1_3 + 1),
 	    NNG_ENOTSUP);
 
 	// Verify that we *can* configure some various ranges starting with
-	// TLS v1.2.  Note that some libraries no longer support TLS 1.0
-	// and TLS 1.1, so we don't test for them.
-#if 0
-	NUTS_PASS(nng_tls_config_version(cfg, NNG_TLS_1_0, NNG_TLS_1_0));
-	NUTS_PASS(nng_tls_config_version(cfg, NNG_TLS_1_0, NNG_TLS_1_1));
-	NUTS_PASS(nng_tls_config_version(cfg, NNG_TLS_1_0, NNG_TLS_1_2));
-	NUTS_PASS(nng_tls_config_version(cfg, NNG_TLS_1_0, NNG_TLS_1_3));
-	NUTS_PASS(nng_tls_config_version(cfg, NNG_TLS_1_1, NNG_TLS_1_1));
-	NUTS_PASS(nng_tls_config_version(cfg, NNG_TLS_1_1, NNG_TLS_1_2));
-	NUTS_PASS(nng_tls_config_version(cfg, NNG_TLS_1_1, NNG_TLS_1_3));
-#endif
+	// TLS v1.2.
 	NUTS_PASS(nng_tls_config_version(cfg, NNG_TLS_1_2, NNG_TLS_1_2));
 	NUTS_PASS(nng_tls_config_version(cfg, NNG_TLS_1_2, NNG_TLS_1_3));
 
diff --git a/src/supplemental/tls/wolfssl/wolfssl.c b/src/supplemental/tls/wolfssl/wolfssl.c
index 626a75d9..c2d6196a 100644
--- a/src/supplemental/tls/wolfssl/wolfssl.c
+++ b/src/supplemental/tls/wolfssl/wolfssl.c
@@ -602,12 +602,6 @@ wolf_config_version(nng_tls_engine_config *cfg, nng_tls_version min_ver,
 		return (NNG_ENOTSUP);
 	}
 	switch (min_ver) {
-	case NNG_TLS_1_0:
-		rv = wolfSSL_CTX_SetMinVersion(cfg->ctx, WOLFSSL_TLSV1);
-		break;
-	case NNG_TLS_1_1:
-		rv = wolfSSL_CTX_SetMinVersion(cfg->ctx, WOLFSSL_TLSV1_1);
-		break;
 	case NNG_TLS_1_2:
 		rv = wolfSSL_CTX_SetMinVersion(cfg->ctx, WOLFSSL_TLSV1_2);
 		break;
author	Garrett D'Amore <garrett@damore.org>	2024-11-16 13:27:45 -0800
committer	Garrett D'Amore <garrett@damore.org>	2024-11-16 13:53:28 -0800
commit	1ca297dd9cd5daaab9be45d210f0f4df814cea03 (patch)
tree	a02dfe064e3a768b976407af62ab988202dcef9c /src/supplemental/tls
parent	9ecd18c0089195ad914f68137e7671c267e55a99 (diff)
download	nng-1ca297dd9cd5daaab9be45d210f0f4df814cea03.tar.gz nng-1ca297dd9cd5daaab9be45d210f0f4df814cea03.tar.bz2 nng-1ca297dd9cd5daaab9be45d210f0f4df814cea03.zip