From 4a495c61ce22c893aed5ee57f6ce0b43c3be59ad Mon Sep 17 00:00:00 2001
From: Frank Denis <github@pureftpd.org>
Date: Wed, 19 Sep 2018 23:53:45 +0200
Subject: [PATCH] TLS1.3 compatibility

Fixes #94
---
 src/tls.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/src/tls.c b/src/tls.c
index c693d3b..f383ed9 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -228,7 +228,16 @@ static void ssl_info_cb(const SSL *cnx, int where, int ret)
     if ((where & SSL_CB_HANDSHAKE_START) != 0) {
         if ((cnx == tls_cnx && tls_cnx_handshook != 0) ||
             (cnx == tls_data_cnx && tls_data_cnx_handshook != 0)) {
-            die(400, LOG_ERR, "TLS renegociation");
+            const SSL_CIPHER *cipher;
+            const char *cipher_version;
+            if ((cipher = SSL_get_current_cipher(cnx)) == NULL ||
+                (cipher_version = SSL_CIPHER_get_version(cipher)) == NULL) {
+                die(400, LOG_ERR, "No cipher");
+            }
+            if (strcmp(cipher_version, "TLSv1.3") != 0) {
+                die(400, LOG_ERR, "TLS renegociation");
+                return;
+            }
         }
         return;
     }
@@ -264,10 +273,10 @@ int tls_init_library(void)
     OpenSSL_add_all_algorithms();
 # else
     OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS |
-		     OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
+                     OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
     OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS |
-			OPENSSL_INIT_ADD_ALL_DIGESTS |
-			OPENSSL_INIT_LOAD_CONFIG, NULL);
+                        OPENSSL_INIT_ADD_ALL_DIGESTS |
+                        OPENSSL_INIT_LOAD_CONFIG, NULL);
 # endif
     while (RAND_status() == 0) {
         rnd = zrand();