vtls: fix ssl version "or later" behavior change for many backends

- Treat CURL_SSLVERSION_MAX_NONE the same as CURL_SSLVERSION_MAX_DEFAULT. Prior to this change NONE would mean use the minimum version also as the maximum. This is a follow-up to 6015cef which changed the behavior of setting the SSL version so that the requested version would only be the minimum and not the maximum. It appears it was (mostly) implemented in OpenSSL but not other backends. In other words CURL_SSLVERSION_TLSv1_0 used to mean use just TLS v1.0 and now it means use TLS v1.0 *or later*. - Fix CURL_SSLVERSION_MAX_DEFAULT for OpenSSL. Prior to this change CURL_SSLVERSION_MAX_DEFAULT with OpenSSL was erroneously treated as always TLS 1.3, and would cause an error if OpenSSL was built without TLS 1.3 support. Co-authored-by: Daniel Gustafsson Fixes https://github.com/curl/curl/issues/2969 Closes https://github.com/curl/curl/pull/3012
2025-01-10 21:48:10 -05:00 · 2018-09-18 16:35:36 -04:00 · 2018-09-18 16:35:36 -04:00 · 2e5651a5ce
commit 2e5651a5ce
parent ba782baac3
8 changed files with 1 additions and 18 deletions
--- a/lib/vtls/darwinssl.c
+++ b/lib/vtls/darwinssl.c
@ -1304,8 +1304,6 @@ set_ssl_version_min_max(struct connectdata *conn, int sockindex)

  switch(ssl_version_max) {
    case CURL_SSLVERSION_MAX_NONE:
-      ssl_version_max = ssl_version << 16;
-      break;
    case CURL_SSLVERSION_MAX_DEFAULT:
      ssl_version_max = max_supported_version_by_os;
      break;
--- a/lib/vtls/gskit.c
+++ b/lib/vtls/gskit.c
@ -766,8 +766,6 @@ set_ssl_version_min_max(unsigned int *protoflags, struct connectdata *conn)
  long i = ssl_version;
  switch(ssl_version_max) {
    case CURL_SSLVERSION_MAX_NONE:
-      ssl_version_max = ssl_version;
-      break;
    case CURL_SSLVERSION_MAX_DEFAULT:
      ssl_version_max = CURL_SSLVERSION_TLSv1_2;
      break;
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@ -390,8 +390,6 @@ set_ssl_version_min_max(int *list, size_t list_size, struct connectdata *conn)

  switch(ssl_version_max) {
    case CURL_SSLVERSION_MAX_NONE:
-      ssl_version_max = ssl_version << 16;
-      break;
    case CURL_SSLVERSION_MAX_DEFAULT:
      ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_2;
      break;
@ -435,7 +433,7 @@ set_ssl_version_min_max(const char **prioritylist, struct connectdata *conn)
    return CURLE_SSL_CONNECT_ERROR;
  }
  if(ssl_version_max == CURL_SSLVERSION_MAX_NONE) {
-    ssl_version_max = ssl_version << 16;
+    ssl_version_max = CURL_SSLVERSION_MAX_DEFAULT;
  }
  switch(ssl_version | ssl_version_max) {
    case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_0:
--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@ -205,14 +205,11 @@ set_ssl_version_min_max(struct connectdata *conn, int sockindex)
    case CURL_SSLVERSION_DEFAULT:
    case CURL_SSLVERSION_TLSv1:
      ssl_version = CURL_SSLVERSION_TLSv1_0;
-      ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_2;
      break;
  }

  switch(ssl_version_max) {
    case CURL_SSLVERSION_MAX_NONE:
-      ssl_version_max = ssl_version << 16;
-      break;
    case CURL_SSLVERSION_MAX_DEFAULT:
      ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_2;
      break;
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@ -1715,8 +1715,6 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
      failf(data, "unsupported min version passed via CURLOPT_SSLVERSION");
      return result;
    }
-    if(max == CURL_SSLVERSION_MAX_NONE)
-      sslver->max = sslver->min;
  }

  switch(max) {
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@ -2172,7 +2172,6 @@ set_ssl_version_min_max(long *ctx_options, struct connectdata *conn,
 #endif
      break;
    case CURL_SSLVERSION_MAX_TLSv1_3:
-    case CURL_SSLVERSION_MAX_DEFAULT:
 #ifdef TLS1_3_VERSION
      break;
 #else
--- a/lib/vtls/polarssl.c
+++ b/lib/vtls/polarssl.c
@ -185,14 +185,11 @@ set_ssl_version_min_max(struct connectdata *conn, int sockindex)
    case CURL_SSLVERSION_DEFAULT:
    case CURL_SSLVERSION_TLSv1:
      ssl_version = CURL_SSLVERSION_TLSv1_0;
-      ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_2;
      break;
  }

  switch(ssl_version_max) {
    case CURL_SSLVERSION_MAX_NONE:
-      ssl_version_max = ssl_version << 16;
-      break;
    case CURL_SSLVERSION_MAX_DEFAULT:
      ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_2;
      break;
--- a/lib/vtls/schannel.c
+++ b/lib/vtls/schannel.c
@ -180,8 +180,6 @@ set_ssl_version_min_max(SCHANNEL_CRED *schannel_cred, struct connectdata *conn)

  switch(ssl_version_max) {
    case CURL_SSLVERSION_MAX_NONE:
-      ssl_version_max = ssl_version << 16;
-      break;
    case CURL_SSLVERSION_MAX_DEFAULT:
      ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_2;
      break;