From nobody Sun Jan 25 04:16:19 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dzJJM4hb8z6QBZd for ; Sun, 25 Jan 2026 04:16:19 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4dzJJM3xNTz45Wl for ; Sun, 25 Jan 2026 04:16:19 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1769314579; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=vZJLON5CT62aeLY2X8n3tyAaef2HEhtgNd8RiIF06ms=; b=lp+8bofQmoohvfTozkvGyVHGEojqmcewH4pvgS+ZN/bhfx0wwhUHpMUjQrAz3htSlX38tg M24w9vKXuFiCVMikI6fYsl64+vlCL1S8ACquuMth1BRcpV9s2HxLtxiAd1mQMPMO+hdq/T pV4ZIPgmNWUaSu/VTUIhoe0fnoQHMsSh+s3pkmTe9Eogf7Etita0NCPhHTtzOo7xX8cL4/ R7/MNvT/JI6QrUtKIdXlrnos6x3sn89fbPPr/Bue6esiZAl56Tay+zSGL91mQhkMZOC56J 8RJ3R5rWqLO56WOGDA4usK3zW+9HcmjFQg9JHkq6e9OZBl17yb6rb6hry8xeNg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1769314579; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=vZJLON5CT62aeLY2X8n3tyAaef2HEhtgNd8RiIF06ms=; b=Sv9ZD6TbUH7PLVWdQf03SY5/m9Z0mr8EZaoqZe+gb2Y486SwHgYio+qgV2SMu/jZiXbxno NwTeULbKe9vYV03I3taRbqTElUSSxV4BRjKUMDL5n6hgQgNqbqm/NOxlGaY6lukhVTxKrH 9sxCwHX5VIGSuRyUpdQq8Yn+dv7jQCcUQYaGUFkPN5quqV2h/DYV8fJtj6ICNaVdMza6r6 T9hUbwuw/YUshLOgIixoqtFJ4UpczSuY+jr5EQRBaHBEqI/hoy8nhRc4iK8x/5DnMsRprJ xJ6E4pJsrCQ4vc6P7zVS0Lp9gRNWvc/grroS4UVS2Z+xPbNehsQ9730jrcrkag== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1769314579; a=rsa-sha256; cv=none; b=CuUiO5EOsMbfjfcUbTPShFoabuWGQ1gwyMF4o6wXy1/wBjLTU2RBf4sqboJQrS8FhV4g4q 4gXaYAoyHNVGojSZutYJ4L8Mx3bfPN5gdVkVtnHxANkz8Q7LSpsx6VnMdmxSqTIaIECqhT MdvFjMtvLgeCokHl6wV98Xamsjht8NDhyhNegrgDamkh4OU0o2yJ/Lclp1wmJRCU6I9qIj ikvSvYRDjwl8qZGG/vuEhosVDPS6M7pEBRGdZy4+hX4qdvVhK6edbIA7qtu0wO4Vd7tniz vSEHLmJ90hLUt9ZXM23sclXInqbWsJJgYoL9witOSLsiLgJQFE0bFv8UdR7FHg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4dzJJM3JYlz3nw for ; Sun, 25 Jan 2026 04:16:19 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 36e8a by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Sun, 25 Jan 2026 04:16:19 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Eugene Grosbein Subject: git: edf3b67fbb0e - stable/15 - MFC: libfetch: allow disabling TLS v1.3 when negotiating the connection List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: eugen X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: edf3b67fbb0e527ab7be9d30a02e246e5050f0df Auto-Submitted: auto-generated Date: Sun, 25 Jan 2026 04:16:19 +0000 Message-Id: <69759913.36e8a.a9a6d5@gitrepo.freebsd.org> The branch stable/15 has been updated by eugen: URL: https://cgit.FreeBSD.org/src/commit/?id=edf3b67fbb0e527ab7be9d30a02e246e5050f0df commit edf3b67fbb0e527ab7be9d30a02e246e5050f0df Author: Eugene Grosbein AuthorDate: 2026-01-22 14:37:54 +0000 Commit: Eugene Grosbein CommitDate: 2026-01-25 04:15:35 +0000 MFC: libfetch: allow disabling TLS v1.3 when negotiating the connection (cherry picked from commit 129aec72250266e60c07ff4643623188f7c27a9d) --- lib/libfetch/common.c | 2 ++ lib/libfetch/fetch.3 | 12 ++++++++---- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/lib/libfetch/common.c b/lib/libfetch/common.c index 9df0e9abeba8..f59ef9a8bbb0 100644 --- a/lib/libfetch/common.c +++ b/lib/libfetch/common.c @@ -1048,6 +1048,8 @@ fetch_ssl_setup_transport_layer(SSL_CTX *ctx, int verbose) ssl_ctx_options |= SSL_OP_NO_TLSv1_1; if (getenv("SSL_NO_TLS1_2") != NULL) ssl_ctx_options |= SSL_OP_NO_TLSv1_2; + if (getenv("SSL_NO_TLS1_3") != NULL) + ssl_ctx_options |= SSL_OP_NO_TLSv1_3; if (verbose) fetch_info("SSL options: %lx", ssl_ctx_options); SSL_CTX_set_options(ctx, ssl_ctx_options); diff --git a/lib/libfetch/fetch.3 b/lib/libfetch/fetch.3 index 5f7489799cf6..20a22a263b5b 100644 --- a/lib/libfetch/fetch.3 +++ b/lib/libfetch/fetch.3 @@ -24,7 +24,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd October 7, 2023 +.Dd January 22, 2026 .Dt FETCH 3 .Os .Sh NAME @@ -450,9 +450,11 @@ allows TLSv1 and newer when negotiating the connecting with the remote peer. You can change this behavior by setting the .Ev SSL_NO_TLS1 , -.Ev SSL_NO_TLS1_1 and -.Ev SSL_NO_TLS1_2 -environment variables to disable TLS 1.0, 1.1 and 1.2 respectively. +.Ev SSL_NO_TLS1_1 , +.Ev SSL_NO_TLS1_2 and +.Ev SSL_NO_TLS1_3 +environment variables to disable TLS 1.0, 1.1, 1.2 and 1.3 +respectively. .Sh AUTHENTICATION Apart from setting the appropriate environment variables and specifying the user name and password in the URL or the @@ -676,6 +678,8 @@ Do not allow TLS version 1.0 when negotiating the connection. Do not allow TLS version 1.1 when negotiating the connection. .It Ev SSL_NO_TLS1_2 Do not allow TLS version 1.2 when negotiating the connection. +.It Ev SSL_NO_TLS1_3 +Do not allow TLS version 1.3 when negotiating the connection. .It Ev SSL_NO_VERIFY_HOSTNAME If set, do not verify that the hostname matches the subject of the certificate presented by the server.