From b300be9e17962fbec47c3cdcb83db20d554addb5 Mon Sep 17 00:00:00 2001 From: Adriana Gonzalez Date: Mon, 8 Feb 2021 10:47:06 +0000 Subject: [PATCH 1/2] fix for TLS 1.3 --- lib/plug/ssl.ex | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/lib/plug/ssl.ex b/lib/plug/ssl.ex index f3a4e491b..9aaedf234 100644 --- a/lib/plug/ssl.ex +++ b/lib/plug/ssl.ex @@ -242,9 +242,18 @@ defmodule Plug.SSL do end defp set_secure_defaults(options) do - options - |> Keyword.put_new(:secure_renegotiate, true) - |> Keyword.put_new(:reuse_sessions, true) + if List.keyfind(options, :versions, 0) == {:versions, [:"tlsv1.3"]} do + # secure_renegotiate and reuse_sessions options are not supported + # by the OTP SSL module when earlier versions of TLS are not being used. + # (i.e. TLS1.2 or earlier versions must be specified as it's not supported in TLS1.3) + options + |> Keyword.delete(:secure_renegotiate) + |> Keyword.delete(:reuse_sessions) + else + options + |> Keyword.put_new(:secure_renegotiate, true) + |> Keyword.put_new(:reuse_sessions, true) + end end defp configure_managed_tls(options) do From 786b5be6c87999398e6fe30cb22399b87bbe5e0d Mon Sep 17 00:00:00 2001 From: Adriana Gonzalez Date: Mon, 8 Feb 2021 16:09:45 +0000 Subject: [PATCH 2/2] change tlsv1.3 keyfind in options --- lib/plug/ssl.ex | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/plug/ssl.ex b/lib/plug/ssl.ex index 9aaedf234..079d738ec 100644 --- a/lib/plug/ssl.ex +++ b/lib/plug/ssl.ex @@ -242,7 +242,7 @@ defmodule Plug.SSL do end defp set_secure_defaults(options) do - if List.keyfind(options, :versions, 0) == {:versions, [:"tlsv1.3"]} do + if options[:versions] == [:"tlsv1.3"] do # secure_renegotiate and reuse_sessions options are not supported # by the OTP SSL module when earlier versions of TLS are not being used. # (i.e. TLS1.2 or earlier versions must be specified as it's not supported in TLS1.3)