From 74497752dc062d1c2dc9594654a3770e23d989ec Mon Sep 17 00:00:00 2001
From: Koichiro IWAO <meta@vmeta.jp>
Date: Thu, 16 Aug 2018 11:31:35 +0900
Subject: [PATCH] Add TLSv1.3 support

Actually, TLSv1.3 will be enabled without this change if xrdp is compiled
with OpenSSL or alternatives which support TLSv1.3. This commit makes to
enable or disable TLSv1.3 explicitly.  Also, this commit adds a log
"TLSv1.3 enabled by config, but not supported by system OpenSSL". if
xrdp installation doesn't support TLSv1.3. It should be user-friendly.
---
 common/ssl_calls.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/common/ssl_calls.c b/common/ssl_calls.c
index cb13825e..d1003b8a 100644
--- a/common/ssl_calls.c
+++ b/common/ssl_calls.c
@@ -1004,8 +1004,23 @@ ssl_get_protocols_from_string(const char *str, long *ssl_protocols)
 #endif
 #if defined(SSL_OP_NO_TLSv1_2)
     protocols |= SSL_OP_NO_TLSv1_2;
+#endif
+#if defined(SSL_OP_NO_TLSv1_3)
+    protocols |= SSL_OP_NO_TLSv1_3;
 #endif
     bad_protocols = protocols;
+    if (g_pos(str, ",TLSv1.3,") >= 0)
+    {
+#if defined(SSL_OP_NO_TLSv1_3)
+        log_message(LOG_LEVEL_DEBUG, "TLSv1.3 enabled");
+        protocols &= ~SSL_OP_NO_TLSv1_3;
+#else
+        log_message(LOG_LEVEL_WARNING,
+                    "TLSv1.3 enabled by config, "
+                    "but not supported by system OpenSSL");
+        rv |= (1 << 6);
+#endif
+    }
     if (g_pos(str, ",TLSv1.2,") >= 0)
     {
 #if defined(SSL_OP_NO_TLSv1_2)