Support exclusive use of tlsv1.3, closes #1011

josevalim · josevalim · commit bbcb46f4b7ad · 2022-06-17T10:59:42.000+02:00
diff --git a/lib/plug/ssl.ex b/lib/plug/ssl.ex
@@ -242,9 +242,17 @@ defmodule Plug.SSL do
   end
 
   defp set_secure_defaults(options) do
-    options
-    |> Keyword.put_new(:secure_renegotiate, true)
-    |> Keyword.put_new(:reuse_sessions, true)
+    versions = options[:versions] || :ssl.versions()[:supported]
+
+    if Enum.any?([:tlsv1, :"tlsv1.1", :"tlsv1.2"], &(&1 in versions)) do
+      options
+      |> Keyword.put_new(:secure_renegotiate, true)
+      |> Keyword.put_new(:reuse_sessions, true)
+    else
+      options
+      |> Keyword.delete(:secure_renegotiate)
+      |> Keyword.delete(:reuse_sessions)
+    end
   end
 
   defp configure_managed_tls(options) do
diff --git a/mix.exs b/mix.exs
@@ -3,7 +3,7 @@ defmodule Plug.MixProject do
 
   @version "1.14.0-dev"
   @description "Compose web applications with functions"
-  @xref_exclude [Plug.Cowboy, :telemetry]
+  @xref_exclude [Plug.Cowboy, :telemetry, :ssl]
 
   def project do
     [
diff --git a/test/plug/ssl_test.exs b/test/plug/ssl_test.exs
@@ -5,14 +5,21 @@ defmodule Plug.SSLTest do
   describe "configure" do
     import Plug.SSL, only: [configure: 1]
 
-    test "sets secure_renegotiate and reuse_sessions to true by default" do
-      assert {:ok, opts} = configure(key: "abcdef", cert: "ghijkl")
+    test "sets secure_renegotiate and reuse_sessions to true depending on the version" do
+      assert {:ok, opts} = configure(key: "abcdef", cert: "ghijkl", versions: [:tlsv1])
       assert opts[:reuse_sessions] == true
       assert opts[:secure_renegotiate] == true
       assert opts[:honor_cipher_order] == nil
       assert opts[:client_renegotiation] == nil
       assert opts[:cipher_suite] == nil
 
+      assert {:ok, opts} = configure(key: "abcdef", cert: "ghijkl", versions: [:"tlsv1.3"])
+      assert opts[:reuse_sessions] == nil
+      assert opts[:secure_renegotiate] == nil
+      assert opts[:honor_cipher_order] == nil
+      assert opts[:client_renegotiation] == nil
+      assert opts[:cipher_suite] == nil
+
       assert {:ok, opts} = configure(key: "abcdef", cert: "ghijkl", reuse_sessions: false)
       assert opts[:reuse_sessions] == false
     end

Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,7 @@ defmodule Plug.MixProject do`
`3`	`3`
`4`	`4`	`@version "1.14.0-dev"`
`5`	`5`	`@description "Compose web applications with functions"`
`6`		`- @xref_exclude [Plug.Cowboy, :telemetry]`
	`6`	`+ @xref_exclude [Plug.Cowboy, :telemetry, :ssl]`
`7`	`7`
`8`	`8`	`def project do`
`9`	`9`	`[`