mirror of
https://github.com/moparisthebest/curl
synced 2025-01-11 22:18:00 -05:00
nss: use TLSv1.3 as default if supported
SSL_VersionRangeGetDefault returns (TLSv1.0, TLSv1.2) as supported range in NSS 3.45. It looks like the intention is to raise the minimum version rather than lowering the maximum, so adjust accordingly. Note that the caller (nss_setup_connect) initializes the version range to (TLSv1.0, TLSv1.3), so there is no need to check for >= TLSv1.0 again. Closes #4187 Reviewed-by: Daniel Stenberg Reviewed-by: Kamil Dudka
This commit is contained in:
parent
362d59edab
commit
cc5fae5dac
@ -1734,20 +1734,16 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
|
|||||||
CURLcode result;
|
CURLcode result;
|
||||||
const long min = SSL_CONN_CONFIG(version);
|
const long min = SSL_CONN_CONFIG(version);
|
||||||
const long max = SSL_CONN_CONFIG(version_max);
|
const long max = SSL_CONN_CONFIG(version_max);
|
||||||
|
SSLVersionRange vrange;
|
||||||
/* map CURL_SSLVERSION_DEFAULT to NSS default */
|
|
||||||
if(min == CURL_SSLVERSION_DEFAULT || max == CURL_SSLVERSION_MAX_DEFAULT) {
|
|
||||||
/* map CURL_SSLVERSION_DEFAULT to NSS default */
|
|
||||||
if(SSL_VersionRangeGetDefault(ssl_variant_stream, sslver) != SECSuccess)
|
|
||||||
return CURLE_SSL_CONNECT_ERROR;
|
|
||||||
/* ... but make sure we use at least TLSv1.0 according to libcurl API */
|
|
||||||
if(sslver->min < SSL_LIBRARY_VERSION_TLS_1_0)
|
|
||||||
sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
|
|
||||||
}
|
|
||||||
|
|
||||||
switch(min) {
|
switch(min) {
|
||||||
case CURL_SSLVERSION_TLSv1:
|
case CURL_SSLVERSION_TLSv1:
|
||||||
case CURL_SSLVERSION_DEFAULT:
|
case CURL_SSLVERSION_DEFAULT:
|
||||||
|
/* Bump our minimum TLS version if NSS has stricter requirements. */
|
||||||
|
if(SSL_VersionRangeGetDefault(ssl_variant_stream, &vrange) != SECSuccess)
|
||||||
|
return CURLE_SSL_CONNECT_ERROR;
|
||||||
|
if(sslver->min < vrange.min)
|
||||||
|
sslver->min = vrange.min;
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
result = nss_sslver_from_curl(&sslver->min, min);
|
result = nss_sslver_from_curl(&sslver->min, min);
|
||||||
|
Loading…
Reference in New Issue
Block a user