git: 129aec722502 - main - libfetch: allow disabling TLS v1.3 when the connection

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Eugene Grosbein <eugen_at_FreeBSD.org>
Date: Thu, 22 Jan 2026 14:39:55 UTC
The branch main has been updated by eugen:

URL: https://cgit.FreeBSD.org/src/commit/?id=129aec72250266e60c07ff4643623188f7c27a9d

commit 129aec72250266e60c07ff4643623188f7c27a9d
Author:     Eugene Grosbein <eugen@FreeBSD.org>
AuthorDate: 2026-01-22 14:37:54 +0000
Commit:     Eugene Grosbein <eugen@FreeBSD.org>
CommitDate: 2026-01-22 14:37:54 +0000

    libfetch: allow disabling TLS v1.3 when the connection
    
    MFC after:      3 days
---
 lib/libfetch/common.c |  2 ++
 lib/libfetch/fetch.3  | 12 ++++++++----
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/lib/libfetch/common.c b/lib/libfetch/common.c
index a9935ef176da..9b36a9e61a75 100644
--- a/lib/libfetch/common.c
+++ b/lib/libfetch/common.c
@@ -1048,6 +1048,8 @@ fetch_ssl_setup_transport_layer(SSL_CTX *ctx, int verbose)
 		ssl_ctx_options |= SSL_OP_NO_TLSv1_1;
 	if (getenv("SSL_NO_TLS1_2") != NULL)
 		ssl_ctx_options |= SSL_OP_NO_TLSv1_2;
+	if (getenv("SSL_NO_TLS1_3") != NULL)
+		ssl_ctx_options |= SSL_OP_NO_TLSv1_3;
 	if (verbose)
 		fetch_info("SSL options: %lx", ssl_ctx_options);
 	SSL_CTX_set_options(ctx, ssl_ctx_options);
diff --git a/lib/libfetch/fetch.3 b/lib/libfetch/fetch.3
index 5f7489799cf6..20a22a263b5b 100644
--- a/lib/libfetch/fetch.3
+++ b/lib/libfetch/fetch.3
@@ -24,7 +24,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd October 7, 2023
+.Dd January 22, 2026
 .Dt FETCH 3
 .Os
 .Sh NAME
@@ -450,9 +450,11 @@ allows TLSv1 and newer when negotiating the connecting with the remote
 peer.
 You can change this behavior by setting the
 .Ev SSL_NO_TLS1 ,
-.Ev SSL_NO_TLS1_1 and
-.Ev SSL_NO_TLS1_2
-environment variables to disable TLS 1.0, 1.1 and 1.2 respectively.
+.Ev SSL_NO_TLS1_1 ,
+.Ev SSL_NO_TLS1_2 and
+.Ev SSL_NO_TLS1_3
+environment variables to disable TLS 1.0, 1.1, 1.2 and 1.3
+respectively.
 .Sh AUTHENTICATION
 Apart from setting the appropriate environment variables and
 specifying the user name and password in the URL or the
@@ -676,6 +678,8 @@ Do not allow TLS version 1.0 when negotiating the connection.
 Do not allow TLS version 1.1 when negotiating the connection.
 .It Ev SSL_NO_TLS1_2
 Do not allow TLS version 1.2 when negotiating the connection.
+.It Ev SSL_NO_TLS1_3
+Do not allow TLS version 1.3 when negotiating the connection.
 .It Ev SSL_NO_VERIFY_HOSTNAME
 If set, do not verify that the hostname matches the subject of the
 certificate presented by the server.