mirror of
https://github.com/moparisthebest/curl
synced 2024-11-16 06:25:03 -05:00
gnutls: make setting only the MAX TLS allowed version work
Previously, settting only the max allowed TLS version, leaving the
minimum one at default, didn't actually set it and left it to default
(TLS 1.3) too!
As a bonus, this change also removes the dead code handling of SSLv3
since that version can't be set anymore (since eff614fb02
).
Reported-by: Daniel Carpenter
Fixes #6998
Closes #7000
This commit is contained in:
parent
8bdde6b14c
commit
781864bedb
@ -314,9 +314,12 @@ set_ssl_version_min_max(const char **prioritylist, struct Curl_easy *data)
|
|||||||
long ssl_version = SSL_CONN_CONFIG(version);
|
long ssl_version = SSL_CONN_CONFIG(version);
|
||||||
long ssl_version_max = SSL_CONN_CONFIG(version_max);
|
long ssl_version_max = SSL_CONN_CONFIG(version_max);
|
||||||
|
|
||||||
if(ssl_version_max == CURL_SSLVERSION_MAX_NONE) {
|
if((ssl_version == CURL_SSLVERSION_DEFAULT) ||
|
||||||
|
(ssl_version == CURL_SSLVERSION_TLSv1))
|
||||||
|
ssl_version = CURL_SSLVERSION_TLSv1_0;
|
||||||
|
if(ssl_version_max == CURL_SSLVERSION_MAX_NONE)
|
||||||
ssl_version_max = CURL_SSLVERSION_MAX_DEFAULT;
|
ssl_version_max = CURL_SSLVERSION_MAX_DEFAULT;
|
||||||
}
|
|
||||||
switch(ssl_version | ssl_version_max) {
|
switch(ssl_version | ssl_version_max) {
|
||||||
case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_0:
|
case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_0:
|
||||||
*prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
|
*prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
|
||||||
@ -546,29 +549,20 @@ gtls_connect_step1(struct Curl_easy *data,
|
|||||||
* removed if a run-time error indicates that SRP is not supported by this
|
* removed if a run-time error indicates that SRP is not supported by this
|
||||||
* GnuTLS version */
|
* GnuTLS version */
|
||||||
switch(SSL_CONN_CONFIG(version)) {
|
switch(SSL_CONN_CONFIG(version)) {
|
||||||
case CURL_SSLVERSION_SSLv3:
|
|
||||||
prioritylist = GNUTLS_CIPHERS ":-VERS-TLS-ALL:+VERS-SSL3.0";
|
|
||||||
break;
|
|
||||||
case CURL_SSLVERSION_DEFAULT:
|
case CURL_SSLVERSION_DEFAULT:
|
||||||
case CURL_SSLVERSION_TLSv1:
|
case CURL_SSLVERSION_TLSv1:
|
||||||
prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0"
|
|
||||||
#ifdef HAS_TLS13
|
|
||||||
":+VERS-TLS1.3"
|
|
||||||
#endif
|
|
||||||
;
|
|
||||||
break;
|
|
||||||
case CURL_SSLVERSION_TLSv1_0:
|
case CURL_SSLVERSION_TLSv1_0:
|
||||||
case CURL_SSLVERSION_TLSv1_1:
|
case CURL_SSLVERSION_TLSv1_1:
|
||||||
case CURL_SSLVERSION_TLSv1_2:
|
case CURL_SSLVERSION_TLSv1_2:
|
||||||
case CURL_SSLVERSION_TLSv1_3:
|
case CURL_SSLVERSION_TLSv1_3: {
|
||||||
{
|
|
||||||
CURLcode result = set_ssl_version_min_max(&prioritylist, data);
|
CURLcode result = set_ssl_version_min_max(&prioritylist, data);
|
||||||
if(result != CURLE_OK)
|
if(result)
|
||||||
return result;
|
return result;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
case CURL_SSLVERSION_SSLv2:
|
case CURL_SSLVERSION_SSLv2:
|
||||||
failf(data, "GnuTLS does not support SSLv2");
|
case CURL_SSLVERSION_SSLv3:
|
||||||
|
failf(data, "GnuTLS does not support SSLv2 or SSLv3");
|
||||||
return CURLE_SSL_CONNECT_ERROR;
|
return CURLE_SSL_CONNECT_ERROR;
|
||||||
default:
|
default:
|
||||||
failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
|
failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
|
||||||
|
Loading…
Reference in New Issue
Block a user