diff --git a/README.md b/README.md index 2afe1b8..06dd0da 100644 --- a/README.md +++ b/README.md @@ -52,6 +52,10 @@ When a client requests the URL `gemini://example.com/foo/bar`, Agate will respon ## Configuration +### TLS versions + +Agate by default supports TLSv1.2 and TLSv1.3. You can disable support for TLSv1.2 by using the flag `--only-tls13` (or its short version `-3`). This is *NOT RECOMMENDED* as it may break compatibility with some clients. The Gemini specification requires compatibility with TLSv1.2 "for now" because not all platforms have good support for TLSv1.3 (cf. ยง4.1 of the specification). + ### Directory listing You can enable a basic directory listing for a directory by putting a file called `.directory-listing-ok` in that directory. This does not have an effect on subdirectories. diff --git a/src/main.rs b/src/main.rs index 3a70fa7..89e5985 100644 --- a/src/main.rs +++ b/src/main.rs @@ -74,6 +74,7 @@ struct Args { silent: bool, serve_secret: bool, log_ips: bool, + only_tls13: bool, } fn args() -> Result { @@ -117,6 +118,7 @@ fn args() -> Result { ); opts.optflag("s", "silent", "Disable logging output"); opts.optflag("h", "help", "Print this help menu"); + opts.optflag("3", "only-tls13", "Only use TLSv1.3 (default also allows TLSv1.2)"); opts.optflag( "", "serve-secret", @@ -153,6 +155,7 @@ fn args() -> Result { silent: matches.opt_present("s"), serve_secret: matches.opt_present("serve-secret"), log_ips: matches.opt_present("log-ip"), + only_tls13: matches.opt_present("only-tls13"), }) } @@ -175,6 +178,9 @@ fn acceptor() -> Result { let mut keys = pkcs8_private_keys(&mut BufReader::new(key_file)).or(Err("bad key"))?; let mut config = ServerConfig::new(NoClientAuth::new()); + if ARGS.only_tls13 { + config.versions = vec![rustls::ProtocolVersion::TLSv1_3]; + } config.set_single_cert(certs, keys.remove(0))?; Ok(TlsAcceptor::from(Arc::new(config))) }