mirror of
https://github.com/moparisthebest/curl
synced 2024-12-21 23:58:49 -05:00
cyassl: default to highest possible TLS version
(cyassl_connect_step1) - Use TLS 1.0-1.2 by default when available. CyaSSL/wolfSSL >= v3.3.0 supports setting a minimum protocol downgrade version. cyassl/cyassl@322f79f
This commit is contained in:
parent
d29f8b460c
commit
e35f2e61ec
@ -90,20 +90,18 @@ cyassl_connect_step1(struct connectdata *conn,
|
||||
if(conssl->state == ssl_connection_complete)
|
||||
return CURLE_OK;
|
||||
|
||||
/* CyaSSL doesn't support SSLv2 */
|
||||
if(data->set.ssl.version == CURL_SSLVERSION_SSLv2) {
|
||||
failf(data, "CyaSSL does not support SSLv2");
|
||||
return CURLE_SSL_CONNECT_ERROR;
|
||||
}
|
||||
|
||||
/* check to see if we've been told to use an explicit SSL/TLS version */
|
||||
switch(data->set.ssl.version) {
|
||||
default:
|
||||
case CURL_SSLVERSION_DEFAULT:
|
||||
case CURL_SSLVERSION_TLSv1:
|
||||
infof(data, "CyaSSL cannot be configured to use TLS 1.0-1.2, "
|
||||
#if LIBCYASSL_VERSION_HEX >= 0x03003000 /* 3.3.0 */
|
||||
/* the minimum version is set later after the SSL object is created */
|
||||
req_method = SSLv23_client_method();
|
||||
#else
|
||||
infof(data, "CyaSSL <3.3.0 cannot be configured to use TLS 1.0-1.2, "
|
||||
"TLS 1.0 is used exclusively\n");
|
||||
req_method = TLSv1_client_method();
|
||||
#endif
|
||||
break;
|
||||
case CURL_SSLVERSION_TLSv1_0:
|
||||
req_method = TLSv1_client_method();
|
||||
@ -117,6 +115,12 @@ cyassl_connect_step1(struct connectdata *conn,
|
||||
case CURL_SSLVERSION_SSLv3:
|
||||
req_method = SSLv3_client_method();
|
||||
break;
|
||||
case CURL_SSLVERSION_SSLv2:
|
||||
failf(data, "CyaSSL does not support SSLv2");
|
||||
return CURLE_SSL_CONNECT_ERROR;
|
||||
default:
|
||||
failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
|
||||
return CURLE_SSL_CONNECT_ERROR;
|
||||
}
|
||||
|
||||
if(!req_method) {
|
||||
@ -210,6 +214,21 @@ cyassl_connect_step1(struct connectdata *conn,
|
||||
return CURLE_OUT_OF_MEMORY;
|
||||
}
|
||||
|
||||
switch(data->set.ssl.version) {
|
||||
case CURL_SSLVERSION_DEFAULT:
|
||||
case CURL_SSLVERSION_TLSv1:
|
||||
#if LIBCYASSL_VERSION_HEX >= 0x03003000 /* >= 3.3.0 */
|
||||
/* short circuit evaluation to find minimum supported TLS version */
|
||||
if((CyaSSL_SetMinVersion(conssl->handle, CYASSL_TLSV1) != SSL_SUCCESS) &&
|
||||
(CyaSSL_SetMinVersion(conssl->handle, CYASSL_TLSV1_1) != SSL_SUCCESS) &&
|
||||
(CyaSSL_SetMinVersion(conssl->handle, CYASSL_TLSV1_2) != SSL_SUCCESS)) {
|
||||
failf(data, "SSL: couldn't set the minimum protocol version");
|
||||
return CURLE_SSL_CONNECT_ERROR;
|
||||
}
|
||||
#endif
|
||||
break;
|
||||
}
|
||||
|
||||
/* Check if there's a cached ID we can/should use here! */
|
||||
if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL)) {
|
||||
/* we got a session id, use it! */
|
||||
|
Loading…
Reference in New Issue
Block a user