From 781864bedbc57e2e2532bde7cf64db9af7b80d05 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 4 May 2021 13:34:14 +0200
Subject: [PATCH] gnutls: make setting only the MAX TLS allowed version work

Previously, settting only the max allowed TLS version, leaving the
minimum one at default, didn't actually set it and left it to default
(TLS 1.3) too!

As a bonus, this change also removes the dead code handling of SSLv3
since that version can't be set anymore (since eff614fb0242cb).

Reported-by: Daniel Carpenter
Fixes #6998
Closes #7000
---
 lib/vtls/gtls.c | 32 +++++++++++++-------------------
 1 file changed, 13 insertions(+), 19 deletions(-)

diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index 1a4bd004d..d61b4da9c 100644
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -314,9 +314,12 @@ set_ssl_version_min_max(const char **prioritylist, struct Curl_easy *data)
   long ssl_version = SSL_CONN_CONFIG(version);
   long ssl_version_max = SSL_CONN_CONFIG(version_max);
 
-  if(ssl_version_max == CURL_SSLVERSION_MAX_NONE) {
+  if((ssl_version == CURL_SSLVERSION_DEFAULT) ||
+     (ssl_version == CURL_SSLVERSION_TLSv1))
+    ssl_version = CURL_SSLVERSION_TLSv1_0;
+  if(ssl_version_max == CURL_SSLVERSION_MAX_NONE)
     ssl_version_max = CURL_SSLVERSION_MAX_DEFAULT;
-  }
+
   switch(ssl_version | ssl_version_max) {
   case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_0:
     *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
@@ -546,29 +549,20 @@ gtls_connect_step1(struct Curl_easy *data,
    * removed if a run-time error indicates that SRP is not supported by this
    * GnuTLS version */
   switch(SSL_CONN_CONFIG(version)) {
-    case CURL_SSLVERSION_SSLv3:
-      prioritylist = GNUTLS_CIPHERS ":-VERS-TLS-ALL:+VERS-SSL3.0";
-      break;
     case CURL_SSLVERSION_DEFAULT:
     case CURL_SSLVERSION_TLSv1:
-      prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0"
-#ifdef HAS_TLS13
-                     ":+VERS-TLS1.3"
-#endif
-                     ;
-      break;
     case CURL_SSLVERSION_TLSv1_0:
     case CURL_SSLVERSION_TLSv1_1:
     case CURL_SSLVERSION_TLSv1_2:
-    case CURL_SSLVERSION_TLSv1_3:
-      {
-        CURLcode result = set_ssl_version_min_max(&prioritylist, data);
-        if(result != CURLE_OK)
-          return result;
-        break;
-      }
+    case CURL_SSLVERSION_TLSv1_3: {
+      CURLcode result = set_ssl_version_min_max(&prioritylist, data);
+      if(result)
+        return result;
+      break;
+    }
     case CURL_SSLVERSION_SSLv2:
-      failf(data, "GnuTLS does not support SSLv2");
+    case CURL_SSLVERSION_SSLv3:
+      failf(data, "GnuTLS does not support SSLv2 or SSLv3");
       return CURLE_SSL_CONNECT_ERROR;
     default:
       failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");