It is possible to configure TLS 1.3 restrictions

(+ reusing SetupSsl for FTP)

Source commit: 426bf5c70861f8a2964967d32ef5b5e36bbb1ac6

source/core/FtpFileSystem.cpp

@@ -15,6 +15,7 @@
 #include "TextsFileZilla.h"
 #include "HelpCore.h"
 #include "Security.h"
+#include "NeonIntf.h"
 #include <StrUtils.hpp>
 #include <DateUtils.hpp>
 #include <openssl/x509_vfy.h>
@@ -61,6 +62,7 @@ protected:
   virtual bool GetFileModificationTimeInUtc(const wchar_t * FileName, struct tm & Time);
   virtual wchar_t * LastSysErrorMessage();
   virtual std::wstring GetClientString();
+  virtual void SetupSsl(ssl_st * Ssl);
 
 private:
   TFTPFileSystem * FFileSystem;
@@ -162,6 +164,11 @@ std::wstring TFileZillaImpl::GetClientString()
   return std::wstring(SshVersionString().c_str());
 }
 //---------------------------------------------------------------------------
+void TFileZillaImpl::SetupSsl(ssl_st * Ssl)
+{
+  ::SetupSsl(Ssl, FFileSystem->FTerminal->SessionData->MinTlsVersion, FFileSystem->FTerminal->SessionData->MaxTlsVersion);
+}
+//---------------------------------------------------------------------------
 //---------------------------------------------------------------------------
 class TMessageQueue : public std::list<std::pair<WPARAM, LPARAM> >
 {
@@ -2703,14 +2710,6 @@ int __fastcall TFTPFileSystem::GetOptionVal(int OptionID) const
       Result = (Data->SslSessionReuse ? TRUE : FALSE);
       break;
 
-    case OPTION_MPEXT_MIN_TLS_VERSION:
-      Result = Data->MinTlsVersion;
-      break;
-
-    case OPTION_MPEXT_MAX_TLS_VERSION:
-      Result = Data->MaxTlsVersion;
-      break;
-
     case OPTION_MPEXT_SNDBUF:
       Result = Data->SendBuf;
       break;

source/core/NeonIntf.cpp

@@ -511,7 +511,8 @@ void SetupSsl(ssl_st * Ssl, TTlsVersion MinTlsVersion, TTlsVersion MaxTlsVersion
     MASK_TLS_VERSION(ssl3, SSL_OP_NO_SSLv3) |
     MASK_TLS_VERSION(tls10, SSL_OP_NO_TLSv1) |
     MASK_TLS_VERSION(tls11, SSL_OP_NO_TLSv1_1) |
-    MASK_TLS_VERSION(tls12, SSL_OP_NO_TLSv1_2);
+    MASK_TLS_VERSION(tls12, SSL_OP_NO_TLSv1_2) |
+    MASK_TLS_VERSION(tls13, SSL_OP_NO_TLSv1_3);
   // adds flags (not sets)
   SSL_set_options(Ssl, Options);
 }

source/core/S3FileSystem.cpp

@@ -188,7 +188,6 @@ void TS3FileSystem::LibS3SessionCallback(ne_session_s * Session, void * Callback
 //------------------------------------------------------------------------------
 void TS3FileSystem::InitSslSession(ssl_st * Ssl, ne_session * /*Session*/)
 {
-  // See also CAsyncSslSocketLayer::InitSSLConnection
   SetupSsl(Ssl, FTerminal->SessionData->MinTlsVersion, FTerminal->SessionData->MaxTlsVersion);
 }
 //---------------------------------------------------------------------------

source/core/SessionData.cpp

@@ -265,7 +265,7 @@ void __fastcall TSessionData::DefaultSettings()
   FtpTransferActiveImmediately = asAuto;
   Ftps = ftpsNone;
   MinTlsVersion = tls10;
-  MaxTlsVersion = tls12;
+  MaxTlsVersion = tls13;
   FtpListAll = asAuto;
   FtpHost = asAuto;
   FtpDeleteFromCwd = asAuto;

source/core/SessionData.h

@@ -36,7 +36,7 @@ enum TAddressFamily { afAuto, afIPv4, afIPv6 };
 enum TFtps { ftpsNone, ftpsImplicit, ftpsExplicitSsl, ftpsExplicitTls };
 // has to match SSL_VERSION_XXX constants in AsyncSslSocketLayer.h
 // ssl2 has no effect now
-enum TTlsVersion { ssl2 = 2, ssl3 = 3, tls10 = 10, tls11 = 11, tls12 = 12 };
+enum TTlsVersion { ssl2 = 2, ssl3 = 3, tls10 = 10, tls11 = 11, tls12 = 12, tls13 = 13 };
 // has to match libs3 S3UriStyle
 enum TS3UrlStyle { s3usVirtualHost, s3usPath };
 enum TSessionSource { ssNone, ssStored, ssStoredModified };

source/core/SessionInfo.cpp

@@ -1069,6 +1069,8 @@ UnicodeString __fastcall TSessionLog::GetTlsVersionName(TTlsVersion TlsVersion)
       return "TLSv1.1";
     case tls12:
       return "TLSv1.2";
+    case tls13:
+      return "TLSv1.3";
   }
 }
 //---------------------------------------------------------------------------

source/core/WebDAVFileSystem.cpp

@@ -1957,7 +1957,6 @@ void TWebDAVFileSystem::NeonNotifier(void * UserData, ne_session_status Status,
 //------------------------------------------------------------------------------
 void TWebDAVFileSystem::InitSslSession(ssl_st * Ssl, ne_session * /*Session*/)
 {
-  // See also CAsyncSslSocketLayer::InitSSLConnection
   SetupSsl(Ssl, FTerminal->SessionData->MinTlsVersion, FTerminal->SessionData->MaxTlsVersion);
 }
 //---------------------------------------------------------------------------

source/filezilla/AsyncSslSocketLayer.cpp

@@ -8,6 +8,7 @@
 //---------------------------------------------------------------------------
 #include "stdafx.h"
 #include "AsyncSslSocketLayer.h"
+#include "FilezillaTools.h"
 
 #include <openssl/x509v3.h>
 #include <openssl/err.h>
@@ -637,7 +638,7 @@ BOOL CAsyncSslSocketLayer::Connect(LPCTSTR lpszHostAddress, UINT nHostPort)
 
 int CAsyncSslSocketLayer::InitSSLConnection(bool clientMode,
   CAsyncSslSocketLayer* main, bool sessionreuse,
-  int minTlsVersion, int maxTlsVersion,
+  CFileZillaTools * tools,
   void* pSslContext /*=0*/)
 {
   if (m_bUseSSL)
@@ -731,16 +732,7 @@ int CAsyncSslSocketLayer::InitSSLConnection(bool clientMode,
     return SSL_FAILURE_INITSSL;
   }
 
-  // See also TWebDAVFileSystem::InitSslSession
-  #define MASK_TLS_VERSION(VERSION, FLAG) ((minTlsVersion > VERSION) || (maxTlsVersion < VERSION) ? FLAG : 0)
-  long options =
-    SSL_OP_ALL |
-    MASK_TLS_VERSION(SSL_VERSION_SSL3, SSL_OP_NO_SSLv3) |
-    MASK_TLS_VERSION(SSL_VERSION_TLS10, SSL_OP_NO_TLSv1) |
-    MASK_TLS_VERSION(SSL_VERSION_TLS11, SSL_OP_NO_TLSv1_1) |
-    MASK_TLS_VERSION(SSL_VERSION_TLS12, SSL_OP_NO_TLSv1_2);
-  // adds flags (not sets)
-  SSL_set_options(m_ssl, options);
+  tools->SetupSsl(m_ssl);
 
   //Init SSL connection
   void *ssl_sessionid = NULL;

source/filezilla/AsyncSslSocketLayer.h

@@ -116,6 +116,7 @@ struct t_SslCertData
 };
 //---------------------------------------------------------------------------
 class CCriticalSectionWrapper;
+class CFileZillaTools;
 //---------------------------------------------------------------------------
 class CAsyncSslSocketLayer : public CAsyncSocketExLayer
 {
@@ -133,7 +134,7 @@ public:
   bool IsUsingSSL();
   int InitSSLConnection(bool clientMode,
     CAsyncSslSocketLayer * main,
-    bool sessionreuse, int minTlsVersion, int maxTlsVersion,
+    bool sessionreuse, CFileZillaTools * tools,
     void* pContext = 0);
 
   // Send raw text, useful to send a confirmation after the ssl connection
@@ -246,5 +247,6 @@ private:
 #define SSL_VERSION_TLS10 10
 #define SSL_VERSION_TLS11 11
 #define SSL_VERSION_TLS12 12
+#define SSL_VERSION_TLS13 13
 //---------------------------------------------------------------------------
 #endif // AsyncSslSocketLayerH

source/filezilla/FileZillaOpt.h

@@ -44,8 +44,6 @@
 #define OPTION_MPEXT_PRESERVEUPLOADFILETIME 1001
 #define OPTION_MPEXT_SSLSESSIONREUSE 1002
 #define OPTION_MPEXT_SNDBUF 1003
-#define OPTION_MPEXT_MIN_TLS_VERSION 1004
-#define OPTION_MPEXT_MAX_TLS_VERSION 1005
 #define OPTION_MPEXT_TRANSFER_ACTIVE_IMMEDIATELY 1006
 #define OPTION_MPEXT_REMOVE_BOM 1007
 #define OPTION_MPEXT_LOG_SENSITIVE 1008

source/filezilla/FilezillaTools.h

@@ -3,6 +3,7 @@
 #define FileZillaToolsH
 //---------------------------------------------------------------------------
 #include <ctime>
+#include <openssl/ssl.h>
 //---------------------------------------------------------------------------
 class CFileZillaTools
 {
@@ -11,6 +12,7 @@ public:
   virtual bool GetFileModificationTimeInUtc(const wchar_t * FileName, struct tm & Time) = 0;
   virtual wchar_t * LastSysErrorMessage() = 0;
   virtual std::wstring GetClientString() = 0;
+  virtual void SetupSsl(ssl_st * Ssl) = 0;
 };
 //---------------------------------------------------------------------------
 #endif // FileZillaToolsH

source/filezilla/FtpControlSocket.cpp

@@ -505,8 +505,7 @@ void CFtpControlSocket::Connect(t_server &server)
     }
     int res = m_pSslLayer->InitSSLConnection(true, NULL,
       GetOptionVal(OPTION_MPEXT_SSLSESSIONREUSE),
-      GetOptionVal(OPTION_MPEXT_MIN_TLS_VERSION),
-      GetOptionVal(OPTION_MPEXT_MAX_TLS_VERSION));
+      m_pTools);
     if (res == SSL_FAILURE_INITSSL)
       ShowStatus(IDS_ERRORMSG_CANTINITSSL, FZ_LOG_ERROR);
     if (res)
@@ -636,8 +635,7 @@ void CFtpControlSocket::LogOnToServer(BOOL bSkipReply /*=FALSE*/)
       }
       int res = m_pSslLayer->InitSSLConnection(true, NULL,
         GetOptionVal(OPTION_MPEXT_SSLSESSIONREUSE),
-        GetOptionVal(OPTION_MPEXT_MIN_TLS_VERSION),
-        GetOptionVal(OPTION_MPEXT_MAX_TLS_VERSION));
+        m_pTools);
       if (res == SSL_FAILURE_INITSSL)
         ShowStatus(IDS_ERRORMSG_CANTINITSSL, FZ_LOG_ERROR);
       if (res)

source/filezilla/TransferSocket.cpp

@@ -414,8 +414,7 @@ void CTransferSocket::Start()
     AddLayer(m_pSslLayer);
     int res = m_pSslLayer->InitSSLConnection(true, m_pOwner->m_pSslLayer,
       GetOptionVal(OPTION_MPEXT_SSLSESSIONREUSE),
-      GetOptionVal(OPTION_MPEXT_MIN_TLS_VERSION),
-      GetOptionVal(OPTION_MPEXT_MAX_TLS_VERSION));
+      m_pOwner->m_pTools);
     if (res == SSL_FAILURE_INITSSL)
     {
       m_pOwner->ShowStatus(IDS_ERRORMSG_CANTINITSSL, FZ_LOG_ERROR);

source/forms/SiteAdvanced.cpp

@@ -1489,6 +1489,8 @@ TTlsVersion __fastcall TSiteAdvancedDialog::IndexToTlsVersion(int Index)
       return tls11;
     case 3:
       return tls12;
+    case 4:
+      return tls13;
   }
 }
 //---------------------------------------------------------------------------
@@ -1507,6 +1509,8 @@ int __fastcall TSiteAdvancedDialog::TlsVersionToIndex(TTlsVersion TlsVersion)
       return 2;
     case tls12:
       return 3;
+    case tls13:
+      return 4;
   }
 }
 //---------------------------------------------------------------------------

source/forms/SiteAdvanced.dfm

@@ -1830,7 +1830,8 @@ object SiteAdvancedDialog: TSiteAdvancedDialog
               'SSL 3.0'
               'TLS 1.0'
               'TLS 1.1'
-              'TLS 1.2')
+              'TLS 1.2'
+              'TLS 1.3')
           end
           object MaxTlsVersionCombo: TComboBox
             Left = 304
@@ -1845,7 +1846,8 @@ object SiteAdvancedDialog: TSiteAdvancedDialog
               'SSL 3.0'
               'TLS 1.0'
               'TLS 1.1'
-              'TLS 1.2')
+              'TLS 1.2'
+              'TLS 1.3')
           end
           object SslSessionReuseCheck: TCheckBox
             Left = 12