Set OPENSSL_NO_EXTERNAL_PSK_TLS13 to indicate lack of TLS 1.3 PSK #2399
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1fe522f to
fed0258
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #2399 +/- ##
==========================================
- Coverage 78.79% 78.78% -0.01%
==========================================
Files 620 620
Lines 108076 108076
Branches 15347 15357 +10
==========================================
- Hits 85157 85150 -7
- Misses 22261 22267 +6
- Partials 658 659 +1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
justsmth
approved these changes
May 7, 2025
darylmartin100
approved these changes
May 7, 2025
skmcgrail
added a commit
that referenced
this pull request
May 23, 2025
## What's Changed * Fix prefix build when path has spaces by @justsmth in #2400 * Prepare v1.51.2 by @justsmth in #2401 * Set OPENSSL_NO_EXTERNAL_PSK_TLS13 to indicate lack of TLS 1.3 PSK by @WillChilds-Klein in #2399 * BIO datagram functions by @justsmth in #2321 * Reject NewSessionTicket messages with empty tickets in TLS 1.3 by @justsmth in #2367 * Ensure that AVX512 is not used on macOS by @justsmth in #2363 * Fix socket test issues by @torben-hansen in #2404 * Remove python CI patch for main by @WillChilds-Klein in #2407 * Remove xmlsec patch by @smittals2 in #2405 * Fix clang tidy ci by @justsmth in #2375 * Mark fallible container operations as `nodiscard` by @justsmth in #2366 * Remove extra va_end in err_add_error_vdata by @justsmth in #2364 * Check for QUIC in SSL_process_quic_post_handshake by @justsmth in #2365 * Add missing symbols for Unbound by @nhatnghiho in #2352 * Update mlkem-native by @hanno-becker in #2406 * CI for iOS by @justsmth in #2389 * Squelch clang-tidy by @justsmth in #2414 * Clang-tidy is still noisy by @justsmth in #2417 * Add back two rules for clang-tidy by @smittals2 in #2418 * Implement BIO_dump by @kingstjo in #2331 * Make ASN1_get_object a direct call by @samuel40791765 in #2332 * Add Python 3.9 CI patch by @WillChilds-Klein in #2415 * Rework memory BIOs and implement BIO_seek by @nhatnghiho in #2380 * ML-DSA: ASN.1 Module - add parsing of BOTH private key format by @jakemas in #2416 * Detection of unused results by @justsmth in #2411 * Fix gtest_util.sh failure detection by @justsmth in #2423 * Remove unused docs/configs by @torben-hansen in #2427 * ML-DSA: Add ML-DSA keyGen to break-kat.go by @jakemas in #2422 * Fix CI for mingw by @justsmth in #2428 * Bump AWSLC_API_VERSION for X509_STORE_CTX_set_verify_crit_oids by @samuel40791765 in #2426 * Revert "Rework memory BIOs and implement BIO_seek (#2380)" by @samuel40791765 in #2432 * Resolve SSL_PRIVATE_METHOD and certificate slots functionality by @skmcgrail in #2429 By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of changes:
Due to security concerns, neither AWS-LC nor BoringSSL support external (i.e. non-session-resumption, established out of band) PSKs in TLS 1.3. This PR proposes a "configuration" flag to indicate this limitation to consumers, much as we did with
OPENSSL_NO_TLS_PHAin 0aebf17.Call-outs:
Other cryptography libraries do not set this macro; it's unique to us.
Testing:
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.