mirror of
https://github.com/moparisthebest/curl
synced 2024-11-16 06:25:03 -05:00
openssl: make the requested TLS version the *minimum* wanted
The code treated the set version as the *exact* version to require in the TLS handshake, which is not what other TLS backends do and probably not what most people expect either. Reported-by: Andreas Olsson Assisted-by: Gaurav Malhotra Fixes #2691 Closes #2694
This commit is contained in:
parent
b83e3e603f
commit
6015cefb1b
@ -3,4 +3,4 @@ Help: Use TLSv1.1
|
||||
Protocols: TLS
|
||||
Added: 7.34.0
|
||||
---
|
||||
Forces curl to use TLS version 1.1 when connecting to a remote TLS server.
|
||||
Forces curl to use TLS version 1.1 or later when connecting to a remote TLS server.
|
||||
|
@ -3,4 +3,4 @@ Help: Use TLSv1.2
|
||||
Protocols: TLS
|
||||
Added: 7.34.0
|
||||
---
|
||||
Forces curl to use TLS version 1.2 when connecting to a remote TLS server.
|
||||
Forces curl to use TLS version 1.2 or later when connecting to a remote TLS server.
|
||||
|
@ -3,7 +3,7 @@ Help: Use TLSv1.3
|
||||
Protocols: TLS
|
||||
Added: 7.52.0
|
||||
---
|
||||
Forces curl to use TLS version 1.3 when connecting to a remote TLS server.
|
||||
Forces curl to use TLS version 1.3 or later when connecting to a remote TLS server.
|
||||
|
||||
Note that TLS 1.3 is only supported by a subset of TLS backends. At the time
|
||||
of this writing, they are BoringSSL, NSS, and Secure Transport (on iOS 11 or
|
||||
|
@ -5,7 +5,7 @@
|
||||
.\" * | (__| |_| | _ <| |___
|
||||
.\" * \___|\___/|_| \_\_____|
|
||||
.\" *
|
||||
.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
.\" * Copyright (C) 1998 - 2015, 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
.\" *
|
||||
.\" * This software is licensed as described in the file COPYING, which
|
||||
.\" * you should have received as part of this distribution. The terms
|
||||
@ -28,38 +28,44 @@ CURLOPT_SSLVERSION \- set preferred TLS/SSL version
|
||||
|
||||
CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSLVERSION, long version);
|
||||
.SH DESCRIPTION
|
||||
Pass a long as parameter to control which version of SSL/TLS to attempt to
|
||||
Pass a long as parameter to control which version range of SSL/TLS versions to
|
||||
use.
|
||||
|
||||
The SSL and TLS versions have typically developed from the most insecure
|
||||
version to be more and more secure in this order through history: SSL v2,
|
||||
SSLv3, TLS v1.0, TSL v1.1, TSL v1.2 and the most recent TLS v1.3.
|
||||
|
||||
Use one of the available defines for this purpose. The available options are:
|
||||
.RS
|
||||
.IP CURL_SSLVERSION_DEFAULT
|
||||
The default action. This will attempt to figure out the remote SSL protocol
|
||||
version.
|
||||
The default acceptable version range. The mimimum acceptable version is by
|
||||
default TLS 1.0 since 7.39.0 (unless the TLS library has a stricter rule).
|
||||
.IP CURL_SSLVERSION_TLSv1
|
||||
TLSv1.x
|
||||
TLS v1.0 or later
|
||||
.IP CURL_SSLVERSION_SSLv2
|
||||
SSLv2
|
||||
SSL v2 (but not SSLv3)
|
||||
.IP CURL_SSLVERSION_SSLv3
|
||||
SSLv3
|
||||
SSL v3 (but not SSLv2)
|
||||
.IP CURL_SSLVERSION_TLSv1_0
|
||||
TLSv1.0 (Added in 7.34.0)
|
||||
TLS v1.0 or later (Added in 7.34.0)
|
||||
.IP CURL_SSLVERSION_TLSv1_1
|
||||
TLSv1.1 (Added in 7.34.0)
|
||||
TLS v1.1 or later (Added in 7.34.0)
|
||||
.IP CURL_SSLVERSION_TLSv1_2
|
||||
TLSv1.2 (Added in 7.34.0)
|
||||
TLS v1.2 or later (Added in 7.34.0)
|
||||
.IP CURL_SSLVERSION_TLSv1_3
|
||||
TLSv1.3 (Added in 7.52.0)
|
||||
TLS v1.3 or later (Added in 7.52.0)
|
||||
.RE
|
||||
|
||||
The maximum TLS version can be set by using \fIone\fP of the
|
||||
CURL_SSLVERSION_MAX_ macros below. It is also possible to OR \fIone\fP of the
|
||||
CURL_SSLVERSION_ macros with \fIone\fP of the CURL_SSLVERSION_MAX_ macros.
|
||||
The MAX macros are not supported for SSL backends axTLS or wolfSSL.
|
||||
.RS
|
||||
.IP CURL_SSLVERSION_MAX_DEFAULT
|
||||
The flag defines the maximum supported TLS version as TLSv1.2, or the default
|
||||
value from the SSL library.
|
||||
(Added in 7.54.0)
|
||||
The flag defines the maximum supported TLS version by libcurl, or the default
|
||||
value from the SSL library is used. libcurl will use a sensible default
|
||||
maximum, which was TLS 1.2 up to before 7.61.0 and is TLS 1.3 since then -
|
||||
assuming the TLS library support it. (Added in 7.54.0)
|
||||
.IP CURL_SSLVERSION_MAX_TLSv1_0
|
||||
The flag defines maximum supported TLS version as TLS v1.0.
|
||||
(Added in 7.54.0)
|
||||
|
@ -2078,10 +2078,6 @@ set_ssl_version_min_max(long *ctx_options, struct connectdata *conn,
|
||||
long ssl_version = SSL_CONN_CONFIG(version);
|
||||
long ssl_version_max = SSL_CONN_CONFIG(version_max);
|
||||
|
||||
if(ssl_version_max == CURL_SSLVERSION_MAX_NONE) {
|
||||
ssl_version_max = ssl_version << 16;
|
||||
}
|
||||
|
||||
switch(ssl_version) {
|
||||
case CURL_SSLVERSION_TLSv1_3:
|
||||
#ifdef TLS1_3_VERSION
|
||||
@ -2113,8 +2109,7 @@ set_ssl_version_min_max(long *ctx_options, struct connectdata *conn,
|
||||
#endif
|
||||
/* FALLTHROUGH */
|
||||
case CURL_SSLVERSION_TLSv1_0:
|
||||
*ctx_options |= SSL_OP_NO_SSLv2;
|
||||
*ctx_options |= SSL_OP_NO_SSLv3;
|
||||
case CURL_SSLVERSION_TLSv1:
|
||||
break;
|
||||
}
|
||||
|
||||
@ -2337,13 +2332,14 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
|
||||
|
||||
case CURL_SSLVERSION_DEFAULT:
|
||||
case CURL_SSLVERSION_TLSv1:
|
||||
ctx_options |= SSL_OP_NO_SSLv2;
|
||||
ctx_options |= SSL_OP_NO_SSLv3;
|
||||
/* FALLTHROUGH */
|
||||
case CURL_SSLVERSION_TLSv1_0:
|
||||
case CURL_SSLVERSION_TLSv1_1:
|
||||
case CURL_SSLVERSION_TLSv1_2:
|
||||
case CURL_SSLVERSION_TLSv1_3:
|
||||
/* asking for any TLS version as the minimum, means no SSL versions
|
||||
allowed */
|
||||
ctx_options |= SSL_OP_NO_SSLv2;
|
||||
ctx_options |= SSL_OP_NO_SSLv3;
|
||||
result = set_ssl_version_min_max(&ctx_options, conn, sockindex);
|
||||
if(result != CURLE_OK)
|
||||
return result;
|
||||
|
Loading…
Reference in New Issue
Block a user