diff options
| -rw-r--r-- | lib/libfetch/common.c | 2 | ||||
| -rw-r--r-- | lib/libfetch/fetch.3 | 12 |
2 files changed, 10 insertions, 4 deletions
diff --git a/lib/libfetch/common.c b/lib/libfetch/common.c index e392c9e1e285..766aa2200f26 100644 --- a/lib/libfetch/common.c +++ b/lib/libfetch/common.c @@ -1062,6 +1062,8 @@ fetch_ssl_setup_transport_layer(SSL_CTX *ctx, int verbose) ssl_ctx_options |= SSL_OP_NO_TLSv1_1; if (getenv("SSL_NO_TLS1_2") != NULL) ssl_ctx_options |= SSL_OP_NO_TLSv1_2; + if (getenv("SSL_NO_TLS1_3") != NULL) + ssl_ctx_options |= SSL_OP_NO_TLSv1_3; if (verbose) fetch_info("SSL options: %lx", ssl_ctx_options); SSL_CTX_set_options(ctx, ssl_ctx_options); diff --git a/lib/libfetch/fetch.3 b/lib/libfetch/fetch.3 index 663209f8fc79..ddf092a4ed9e 100644 --- a/lib/libfetch/fetch.3 +++ b/lib/libfetch/fetch.3 @@ -24,7 +24,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd October 7, 2023 +.Dd January 22, 2026 .Dt FETCH 3 .Os .Sh NAME @@ -451,9 +451,11 @@ allows TLSv1 and newer when negotiating the connecting with the remote peer. You can change this behavior by setting the .Ev SSL_NO_TLS1 , -.Ev SSL_NO_TLS1_1 and -.Ev SSL_NO_TLS1_2 -environment variables to disable TLS 1.0, 1.1 and 1.2 respectively. +.Ev SSL_NO_TLS1_1 , +.Ev SSL_NO_TLS1_2 and +.Ev SSL_NO_TLS1_3 +environment variables to disable TLS 1.0, 1.1, 1.2 and 1.3 +respectively. .Sh AUTHENTICATION Apart from setting the appropriate environment variables and specifying the user name and password in the URL or the @@ -677,6 +679,8 @@ Do not allow TLS version 1.0 when negotiating the connection. Do not allow TLS version 1.1 when negotiating the connection. .It Ev SSL_NO_TLS1_2 Do not allow TLS version 1.2 when negotiating the connection. +.It Ev SSL_NO_TLS1_3 +Do not allow TLS version 1.3 when negotiating the connection. .It Ev SSL_NO_VERIFY_HOSTNAME If set, do not verify that the hostname matches the subject of the certificate presented by the server. |