From nobody Thu Jan 22 14:39:55 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dxkHH3btrz6Pv8k for ; Thu, 22 Jan 2026 14:39:55 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4dxkHH2jrtz3G9f for ; Thu, 22 Jan 2026 14:39:55 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1769092795; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ykBcNVUYPoNPvom8xs4SRP/XrGcux0ZWIbUQzKBKckU=; b=S0DSOPnbmbtjWjIHVOgJAQzqTE8hwvNBLkQRg/TWBBSppgKVd7qzGNTehVfP3adxymHb/I xROUEUdLy9rerAtUrUWmCBu2iMJ8F5Z/cePiop0ObVvQ5Pb3eJafii8tS7A66o40cJrZGa Wnl7ud4c/cwjbsOP25RBLJtOdtJFwcj9yxsV7ZgZpYEKzIH4EmYLa1OvYRjdgG6EvOZDav iePNs3XEE+3MpU6ci8vaewD32W7c6LF/4Y6vg1piWq1K1X3EzLqOcsHZhME9eOb+To8/QQ Z+on1NTNlsaYU9nEVTf/6yPAj1GwvprBeizTRVwxyORSoRw5Aym3/rHduiedDQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1769092795; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ykBcNVUYPoNPvom8xs4SRP/XrGcux0ZWIbUQzKBKckU=; b=qR2gGZq2oZhc/XUH0YlCzbE3N8v9yPF9E+u0ZutPnZR+DbdpPJLt8/ePoXsY6sbQc0p8Y9 affWmTBNiZuURpN7V3XjaUBDJU9sJl1baRA7BxQyno3J8pZGPO/Q5S7yPO+UgJ/EXtHcvA y9Q7fr8oiCX7h9xXt/618keLTicc0f8KrgCMKslAk1gSJBDQkRhOkD4IHHOyIO771JrB9A w/DIhPB3RY/tTjUDNzJqZ+fcwC6L/SYiiCbrbAhPxVS5IjOk37UlhGTW+jlryPNnerKD6A +zPBSuw2THyWDf+4FKpzGdrZwW7w0KHk0j6a5AZUH63vQFKhsyMyA3HHMBL5ag== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1769092795; a=rsa-sha256; cv=none; b=gDzKJB4wJb8dIYyCU9kr4mFyp6UyYdkPaj9f6rOegG/c3KvPIgQJSfOTgJTMZIxyfE9P48 pIBHUq0FwWdJzH4luMZEh9y1A3jVI63GScj244bW3sB+4PkBxNz6ugWRSGRw5l5x+yjau7 wdB5gjKbC+SxoYU1ljHEXrPsWcU5ZKfU1YRABtvAyrJaYMf3hPEsLkh4vRPjIQi5Zx5nY2 xxVxrluqiKv1Nmyewydc0LqaK6f7egkSeEGZ7pAI153xl7+Tz5Bp6kBwGO7zCYx2UHf2+z NwIchnmR9V4R1BpKdcWdYVVQZNCUvobVkiX7zPv3+kydyv6PH/DyudTFJzKC3g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4dxkHH1Trqzcwd for ; Thu, 22 Jan 2026 14:39:55 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 2249b by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Thu, 22 Jan 2026 14:39:55 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Eugene Grosbein Subject: git: 129aec722502 - main - libfetch: allow disabling TLS v1.3 when the connection List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: eugen X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 129aec72250266e60c07ff4643623188f7c27a9d Auto-Submitted: auto-generated Date: Thu, 22 Jan 2026 14:39:55 +0000 Message-Id: <697236bb.2249b.2e32478a@gitrepo.freebsd.org> The branch main has been updated by eugen: URL: https://cgit.FreeBSD.org/src/commit/?id=129aec72250266e60c07ff4643623188f7c27a9d commit 129aec72250266e60c07ff4643623188f7c27a9d Author: Eugene Grosbein AuthorDate: 2026-01-22 14:37:54 +0000 Commit: Eugene Grosbein CommitDate: 2026-01-22 14:37:54 +0000 libfetch: allow disabling TLS v1.3 when the connection MFC after: 3 days --- lib/libfetch/common.c | 2 ++ lib/libfetch/fetch.3 | 12 ++++++++---- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/lib/libfetch/common.c b/lib/libfetch/common.c index a9935ef176da..9b36a9e61a75 100644 --- a/lib/libfetch/common.c +++ b/lib/libfetch/common.c @@ -1048,6 +1048,8 @@ fetch_ssl_setup_transport_layer(SSL_CTX *ctx, int verbose) ssl_ctx_options |= SSL_OP_NO_TLSv1_1; if (getenv("SSL_NO_TLS1_2") != NULL) ssl_ctx_options |= SSL_OP_NO_TLSv1_2; + if (getenv("SSL_NO_TLS1_3") != NULL) + ssl_ctx_options |= SSL_OP_NO_TLSv1_3; if (verbose) fetch_info("SSL options: %lx", ssl_ctx_options); SSL_CTX_set_options(ctx, ssl_ctx_options); diff --git a/lib/libfetch/fetch.3 b/lib/libfetch/fetch.3 index 5f7489799cf6..20a22a263b5b 100644 --- a/lib/libfetch/fetch.3 +++ b/lib/libfetch/fetch.3 @@ -24,7 +24,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd October 7, 2023 +.Dd January 22, 2026 .Dt FETCH 3 .Os .Sh NAME @@ -450,9 +450,11 @@ allows TLSv1 and newer when negotiating the connecting with the remote peer. You can change this behavior by setting the .Ev SSL_NO_TLS1 , -.Ev SSL_NO_TLS1_1 and -.Ev SSL_NO_TLS1_2 -environment variables to disable TLS 1.0, 1.1 and 1.2 respectively. +.Ev SSL_NO_TLS1_1 , +.Ev SSL_NO_TLS1_2 and +.Ev SSL_NO_TLS1_3 +environment variables to disable TLS 1.0, 1.1, 1.2 and 1.3 +respectively. .Sh AUTHENTICATION Apart from setting the appropriate environment variables and specifying the user name and password in the URL or the @@ -676,6 +678,8 @@ Do not allow TLS version 1.0 when negotiating the connection. Do not allow TLS version 1.1 when negotiating the connection. .It Ev SSL_NO_TLS1_2 Do not allow TLS version 1.2 when negotiating the connection. +.It Ev SSL_NO_TLS1_3 +Do not allow TLS version 1.3 when negotiating the connection. .It Ev SSL_NO_VERIFY_HOSTNAME If set, do not verify that the hostname matches the subject of the certificate presented by the server.