SSL: protocol version can be specified more precisely

CURL_SSLVERSION_TLSv1_0, CURL_SSLVERSION_TLSv1_1, CURL_SSLVERSION_TLSv1_2 enum values are added to force exact TLS version (CURL_SSLVERSION_TLSv1 means TLS 1.x). axTLS: axTLS only supports TLS 1.0 and 1.1 but it cannot be set that only one of these should be used, so we don't allow the new enum values. darwinssl: Added support for the new enum values. SChannel: Added support for the new enum values. CyaSSL: Added support for the new enum values. Bug: The original CURL_SSLVERSION_TLSv1 value enables only TLS 1.0 (it did the same before this commit), because CyaSSL cannot be configured to use TLS 1.0-1.2. GSKit: GSKit doesn't seem to support TLS 1.1 and TLS 1.2, so we do not allow those values. Bugfix: There was a typo that caused wrong SSL versions to be passed to GSKit. NSS: TLS minor version cannot be set, so we don't allow the new enum values. QsoSSL: TLS minor version cannot be set, so we don't allow the new enum values. OpenSSL: Added support for the new enum values. Bugfix: The original CURL_SSLVERSION_TLSv1 value enabled only TLS 1.0, now it enables 1.0-1.2. Command-line tool: Added command line options for the new values.
2024-12-22 08:08:50 -05:00 · 2013-09-19 15:17:13 +02:00 · 2013-09-19 15:17:13 +02:00 · ad34a2d5c8
commit ad34a2d5c8
parent 31e106c01c
14 changed files with 161 additions and 22 deletions
--- a/docs/libcurl/curl_easy_setopt.3
+++ b/docs/libcurl/curl_easy_setopt.3
@ -2417,11 +2417,17 @@ The default action. This will attempt to figure out the remote SSL protocol
 version, i.e. either SSLv3 or TLSv1 (but not SSLv2, which became disabled
 by default with 7.18.1).
 .IP CURL_SSLVERSION_TLSv1
-Force TLSv1
+Force TLSv1.x
 .IP CURL_SSLVERSION_SSLv2
 Force SSLv2
 .IP CURL_SSLVERSION_SSLv3
 Force SSLv3
 .IP CURL_SSLVERSION_TLSv1_0
 Force TLSv1.0
 .IP CURL_SSLVERSION_TLSv1_1
 Force TLSv1.1
 .IP CURL_SSLVERSION_TLSv1_2
 Force TLSv1.2
 .RE
 .IP CURLOPT_SSL_VERIFYPEER
 Pass a long as parameter. By default, curl assumes a value of 1.
--- a/docs/libcurl/symbols-in-versions
+++ b/docs/libcurl/symbols-in-versions
@ -695,6 +695,9 @@ CURL_SSLVERSION_DEFAULT         7.9.2
 CURL_SSLVERSION_SSLv2           7.9.2
 CURL_SSLVERSION_SSLv3           7.9.2
 CURL_SSLVERSION_TLSv1           7.9.2
 CURL_SSLVERSION_TLSv1_0         7.33.0
 CURL_SSLVERSION_TLSv1_1         7.33.0
 CURL_SSLVERSION_TLSv1_2         7.33.0
 CURL_TIMECOND_IFMODSINCE        7.9.7
 CURL_TIMECOND_IFUNMODSINCE      7.9.7
 CURL_TIMECOND_LASTMOD           7.9.7
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@ -1659,9 +1659,12 @@ enum CURL_NETRC_OPTION {
 enum {
  CURL_SSLVERSION_DEFAULT,
-  CURL_SSLVERSION_TLSv1,
+  CURL_SSLVERSION_TLSv1, /* TLS 1.x */
  CURL_SSLVERSION_SSLv2,
  CURL_SSLVERSION_SSLv3,
  CURL_SSLVERSION_TLSv1_0,
  CURL_SSLVERSION_TLSv1_1,
  CURL_SSLVERSION_TLSv1_2,
  CURL_SSLVERSION_LAST /* never use, keep last */
 };
--- a/lib/axtls.c
+++ b/lib/axtls.c
@ -164,7 +164,8 @@ static CURLcode connect_prep(struct connectdata *conn, int sockindex)
  case CURL_SSLVERSION_TLSv1:
    break;
  default:
-    failf(data, "axTLS only supports TLSv1");
+    failf(data, "axTLS only supports TLS 1.0 and 1.1, "
          "and it cannot be specified which one to use");
    return CURLE_SSL_CONNECT_ERROR;
  }
--- a/lib/curl_darwinssl.c
+++ b/lib/curl_darwinssl.c
@ -1056,6 +1056,18 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
        (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol1);
        (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol12);
        break;
      case CURL_SSLVERSION_TLSv1_0:
        (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol1);
        (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol1);
        break;
      case CURL_SSLVERSION_TLSv1_1:
        (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol11);
        (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol11);
        break;
      case CURL_SSLVERSION_TLSv1_2:
        (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol12);
        (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol12);
        break;
      case CURL_SSLVERSION_SSLv3:
        (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kSSLProtocol3);
        (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kSSLProtocol3);
@ -1100,6 +1112,21 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
                                           kTLSProtocol12,
                                           true);
        break;
      case CURL_SSLVERSION_TLSv1_0:
        (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
                                           kTLSProtocol1,
                                           true);
        break;
      case CURL_SSLVERSION_TLSv1_1:
        (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
                                           kTLSProtocol11,
                                           true);
        break;
      case CURL_SSLVERSION_TLSv1_2:
        (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
                                           kTLSProtocol12,
                                           true);
        break;
      case CURL_SSLVERSION_SSLv3:
        (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
                                           kSSLProtocol3,
@ -1130,10 +1157,17 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
                                         true);
      break;
    case CURL_SSLVERSION_TLSv1:
    case CURL_SSLVERSION_TLSv1_0:
      (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
                                         kTLSProtocol1,
                                         true);
      break;
    case CURL_SSLVERSION_TLSv1_1:
      failf(data, "Your version of the OS does not support TLSv1.1");
      return CURLE_SSL_CONNECT_ERROR;
    case CURL_SSLVERSION_TLSv1_2:
      failf(data, "Your version of the OS does not support TLSv1.2");
      return CURLE_SSL_CONNECT_ERROR;
    case CURL_SSLVERSION_SSLv2:
      err = SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
                                         kSSLProtocol2,
--- a/lib/curl_schannel.c
+++ b/lib/curl_schannel.c
@ -180,6 +180,15 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
                                              SP_PROT_TLS1_1_CLIENT |
                                              SP_PROT_TLS1_2_CLIENT;
        break;
      case CURL_SSLVERSION_TLSv1_0:
        schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_0_CLIENT;
        break;
      case CURL_SSLVERSION_TLSv1_1:
        schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_1_CLIENT;
        break;
      case CURL_SSLVERSION_TLSv1_2:
        schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_2_CLIENT;
        break;
      case CURL_SSLVERSION_SSLv3:
        schannel_cred.grbitEnabledProtocols = SP_PROT_SSL3_CLIENT;
        break;
--- a/lib/cyassl.c
+++ b/lib/cyassl.c
@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@ -98,8 +98,19 @@ cyassl_connect_step1(struct connectdata *conn,
    req_method = SSLv23_client_method();
    break;
  case CURL_SSLVERSION_TLSv1:
    infof(data, "CyaSSL cannot be configured to use TLS 1.0-1.2, "
          "TLS 1.0 is used exclusively\n");
    req_method = TLSv1_client_method();
    break;
  case CURL_SSLVERSION_TLSv1_0:
    req_method = TLSv1_client_method();
    break;
  case CURL_SSLVERSION_TLSv1_1:
    req_method = TLSv1_1_client_method();
    break;
  case CURL_SSLVERSION_TLSv1_2:
    req_method = TLSv1_2_client_method();
    break;
  case CURL_SSLVERSION_SSLv3:
    req_method = SSLv3_client_method();
    break;
--- a/lib/gskit.c
+++ b/lib/gskit.c
@ -503,8 +503,17 @@ static CURLcode gskit_connect_step1(struct connectdata * conn, int sockindex)
    sni = (char *) NULL;
    break;
  case CURL_SSLVERSION_TLSv1:
  case CURL_SSLVERSION_TLSv1_0:
    tlsv1enable = true;
    break;
  case CURL_SSLVERSION_TLSv1_1:
    failf(data, "GSKit doesn't support TLS 1.1!");
    cc = CURLE_SSL_CONNECT_ERROR;
    break;
  case CURL_SSLVERSION_TLSv1_2:
    failf(data, "GSKit doesn't support TLS 1.2!");
    cc = CURLE_SSL_CONNECT_ERROR;
    break;
  default:              /* CURL_SSLVERSION_DEFAULT. */
    sslv3enable = true;
    tlsv1enable = true;
@ -555,7 +564,7 @@ static CURLcode gskit_connect_step1(struct connectdata * conn, int sockindex)
                  GSK_PROTOCOL_SSLV3_OFF);
  if(cc == CURLE_OK)
    cc = set_enum(data, connssl->handle, GSK_PROTOCOL_TLSV1,
-                  sslv3enable?  GSK_PROTOCOL_TLSV1_ON:
+                  tlsv1enable?  GSK_PROTOCOL_TLSV1_ON:
                  GSK_PROTOCOL_TLSV1_OFF);
  if(cc == CURLE_OK)
    cc = set_enum(data, connssl->handle, GSK_SERVER_AUTH_TYPE,
--- a/lib/nss.c
+++ b/lib/nss.c
@ -1267,6 +1267,12 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
  case CURL_SSLVERSION_SSLv3:
    ssl3 = PR_TRUE;
    break;
  case CURL_SSLVERSION_TLSv1_0:
  case CURL_SSLVERSION_TLSv1_1:
  case CURL_SSLVERSION_TLSv1_2:
    failf(data, "TLS minor version cannot be set\n");
    curlerr = CURLE_SSL_CONNECT_ERROR;
    goto error;
  }
  if(SSL_OptionSet(model, SSL_ENABLE_SSL2, ssl2) != SECSuccess)
--- a/lib/qssl.c
+++ b/lib/qssl.c
@ -204,6 +204,12 @@ static CURLcode Curl_qsossl_handshake(struct connectdata * conn, int sockindex)
  case CURL_SSLVERSION_SSLv3:
    h->protocol = SSL_VERSION_3;
    break;
  case CURL_SSLVERSION_TLSv1_0:
  case CURL_SSLVERSION_TLSv1_1:
  case CURL_SSLVERSION_TLSv1_2:
    failf(data, "TLS minor version cannot be set");
    return CURLE_SSL_CONNECT_ERROR;
  }
  h->peerCert = NULL;
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@ -1431,19 +1431,12 @@ ossl_connect_step1(struct connectdata *conn,
  switch(data->set.ssl.version) {
  default:
  case CURL_SSLVERSION_DEFAULT:
 #ifdef USE_TLS_SRP
    if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
      infof(data, "Set version TLSv1 for SRP authorisation\n");
      req_method = TLSv1_client_method() ;
    }
    else
 #endif
    /* we try to figure out version */
    req_method = SSLv23_client_method();
    use_sni(TRUE);
    break;
  case CURL_SSLVERSION_TLSv1:
-    req_method = TLSv1_client_method();
+  case CURL_SSLVERSION_TLSv1_0:
  case CURL_SSLVERSION_TLSv1_1:
  case CURL_SSLVERSION_TLSv1_2:
    /* it will be handled later with the context options */
    req_method = SSLv23_client_method();
    use_sni(TRUE);
    break;
  case CURL_SSLVERSION_SSLv2:
@ -1556,9 +1549,39 @@ ossl_connect_step1(struct connectdata *conn,
    ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
 #endif
-  /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */
+  switch(data->set.ssl.version) {
-  if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT)
+  case CURL_SSLVERSION_DEFAULT:
    ctx_options |= SSL_OP_NO_SSLv2;
 #ifdef USE_TLS_SRP
    if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
      infof(data, "Set version TLSv1.x for SRP authorisation\n");
      ctx_options |= SSL_OP_NO_SSLv3;
    }
 #endif
    break;
  case CURL_SSLVERSION_TLSv1:
    ctx_options |= SSL_OP_NO_SSLv2;
    ctx_options |= SSL_OP_NO_SSLv3;
    break;
  case CURL_SSLVERSION_TLSv1_0:
    ctx_options |= SSL_OP_NO_SSLv2;
    ctx_options |= SSL_OP_NO_SSLv3;
    ctx_options |= SSL_OP_NO_TLSv1_1;
    ctx_options |= SSL_OP_NO_TLSv1_2;
    break;
  case CURL_SSLVERSION_TLSv1_1:
    ctx_options |= SSL_OP_NO_SSLv2;
    ctx_options |= SSL_OP_NO_SSLv3;
    ctx_options |= SSL_OP_NO_TLSv1;
    ctx_options |= SSL_OP_NO_TLSv1_2;
    break;
  case CURL_SSLVERSION_TLSv1_2:
    ctx_options |= SSL_OP_NO_SSLv2;
    ctx_options |= SSL_OP_NO_SSLv3;
    ctx_options |= SSL_OP_NO_TLSv1;
    ctx_options |= SSL_OP_NO_TLSv1_1;
    break;
  }
  SSL_CTX_set_options(connssl->ctx, ctx_options);
--- a/packages/OS400/curl.inc.in
+++ b/packages/OS400/curl.inc.in
@ -228,6 +228,12 @@
     d                 c                   2
     d CURL_SSLVERSION_SSLv3...
     d                 c                   3
     d CURL_SSLVERSION_TLSv1_0...
     d                 c                   4
     d CURL_SSLVERSION_TLSv1_1...
     d                 c                   5
     d CURL_SSLVERSION_TLSv1_2...
     d                 c                   6
      *
     d CURL_TLSAUTH_NONE...
     d                 c                   0
--- a/src/tool_getparam.c
+++ b/src/tool_getparam.c
@ -184,6 +184,9 @@ static const struct LongShort aliases[]= {
  {"01",  "http1.1",                 FALSE},
  {"02",  "http2.0",                 FALSE},
  {"1",  "tlsv1",                    FALSE},
  {"10",  "tlsv1.0",                 FALSE},
  {"11",  "tlsv1.1",                 FALSE},
  {"12",  "tlsv1.2",                 FALSE},
  {"2",  "sslv2",                    FALSE},
  {"3",  "sslv3",                    FALSE},
  {"4",  "ipv4",                     FALSE},
@ -1023,9 +1026,25 @@ ParameterError getparameter(char *flag,    /* f or -long-flag */
        break;
      }
      break;
-    case '1':
+    case '1': /* --tlsv1* options */
-      /* TLS version 1 */
+      switch(subletter) {
-      config->ssl_version = CURL_SSLVERSION_TLSv1;
+      case '\0':
        /* TLS version 1.x */
        config->ssl_version = CURL_SSLVERSION_TLSv1;
        break;
      case '0':
        /* TLS version 1.0 */
        config->ssl_version = CURL_SSLVERSION_TLSv1_0;
        break;
      case '1':
        /* TLS version 1.1 */
        config->ssl_version = CURL_SSLVERSION_TLSv1_1;
        break;
      case '2':
        /* TLS version 1.2 */
        config->ssl_version = CURL_SSLVERSION_TLSv1_2;
        break;
      }
      break;
    case '2':
      /* SSL version 2 */
--- a/src/tool_setopt.c
+++ b/src/tool_setopt.c
@ -78,6 +78,9 @@ const NameValue setopt_nv_CURL_SSLVERSION[] = {
  NV(CURL_SSLVERSION_TLSv1),
  NV(CURL_SSLVERSION_SSLv2),
  NV(CURL_SSLVERSION_SSLv3),
  NV(CURL_SSLVERSION_TLSv1_0),
  NV(CURL_SSLVERSION_TLSv1_1),
  NV(CURL_SSLVERSION_TLSv1_2),
  NVEND,
 };