mirror of
https://github.com/moparisthebest/curl
synced 2025-01-09 21:18:00 -05:00
vtls: refuse setting any SSL version
... previously they were supported if a TLS library would (unexpectedly) still support them, but from this change they will be refused already in curl_easy_setopt(). SSLv2 and SSLv3 have been known to be insecure for many years now. Closes #6773
This commit is contained in:
parent
cf65d4237e
commit
eff614fb02
@ -5,7 +5,7 @@
|
|||||||
.\" * | (__| |_| | _ <| |___
|
.\" * | (__| |_| | _ <| |___
|
||||||
.\" * \___|\___/|_| \_\_____|
|
.\" * \___|\___/|_| \_\_____|
|
||||||
.\" *
|
.\" *
|
||||||
.\" * Copyright (C) 1998 - 2019, 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
|
.\" * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||||
.\" *
|
.\" *
|
||||||
.\" * This software is licensed as described in the file COPYING, which
|
.\" * This software is licensed as described in the file COPYING, which
|
||||||
.\" * you should have received as part of this distribution. The terms
|
.\" * you should have received as part of this distribution. The terms
|
||||||
@ -43,9 +43,9 @@ default TLS v1.0 since 7.39.0 (unless the TLS library has a stricter rule).
|
|||||||
.IP CURL_SSLVERSION_TLSv1
|
.IP CURL_SSLVERSION_TLSv1
|
||||||
TLS v1.0 or later
|
TLS v1.0 or later
|
||||||
.IP CURL_SSLVERSION_SSLv2
|
.IP CURL_SSLVERSION_SSLv2
|
||||||
SSL v2 (but not SSLv3)
|
SSL v2 - refused
|
||||||
.IP CURL_SSLVERSION_SSLv3
|
.IP CURL_SSLVERSION_SSLv3
|
||||||
SSL v3 (but not SSLv2)
|
SSL v3 - refused
|
||||||
.IP CURL_SSLVERSION_TLSv1_0
|
.IP CURL_SSLVERSION_TLSv1_0
|
||||||
TLS v1.0 or later (Added in 7.34.0)
|
TLS v1.0 or later (Added in 7.34.0)
|
||||||
.IP CURL_SSLVERSION_TLSv1_1
|
.IP CURL_SSLVERSION_TLSv1_1
|
||||||
@ -102,6 +102,8 @@ if(curl) {
|
|||||||
}
|
}
|
||||||
.fi
|
.fi
|
||||||
.SH AVAILABILITY
|
.SH AVAILABILITY
|
||||||
|
SSLv2 and SSLv3 are refused completely since curl 7.77.0
|
||||||
|
|
||||||
SSLv2 is disabled by default since 7.18.1. Other SSL versions availability may
|
SSLv2 is disabled by default since 7.18.1. Other SSL versions availability may
|
||||||
vary depending on which backend libcurl has been built to use.
|
vary depending on which backend libcurl has been built to use.
|
||||||
|
|
||||||
|
@ -426,6 +426,8 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
|
|||||||
version_max = C_SSLVERSION_MAX_VALUE(arg);
|
version_max = C_SSLVERSION_MAX_VALUE(arg);
|
||||||
|
|
||||||
if(version < CURL_SSLVERSION_DEFAULT ||
|
if(version < CURL_SSLVERSION_DEFAULT ||
|
||||||
|
version == CURL_SSLVERSION_SSLv2 ||
|
||||||
|
version == CURL_SSLVERSION_SSLv3 ||
|
||||||
version >= CURL_SSLVERSION_LAST ||
|
version >= CURL_SSLVERSION_LAST ||
|
||||||
version_max < CURL_SSLVERSION_MAX_NONE ||
|
version_max < CURL_SSLVERSION_MAX_NONE ||
|
||||||
version_max >= CURL_SSLVERSION_MAX_LAST)
|
version_max >= CURL_SSLVERSION_MAX_LAST)
|
||||||
|
@ -263,10 +263,10 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn,
|
|||||||
char errorbuf[128];
|
char errorbuf[128];
|
||||||
errorbuf[0] = 0;
|
errorbuf[0] = 0;
|
||||||
|
|
||||||
/* mbedTLS only supports SSLv3 and TLSv1 */
|
if((SSL_CONN_CONFIG(version) == CURL_SSLVERSION_SSLv2) ||
|
||||||
if(SSL_CONN_CONFIG(version) == CURL_SSLVERSION_SSLv2) {
|
(SSL_CONN_CONFIG(version) == CURL_SSLVERSION_SSLv3)) {
|
||||||
failf(data, "mbedTLS does not support SSLv2");
|
failf(data, "Not supported SSL version");
|
||||||
return CURLE_SSL_CONNECT_ERROR;
|
return CURLE_NOT_BUILT_IN;
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef THREADING_SUPPORT
|
#ifdef THREADING_SUPPORT
|
||||||
@ -414,13 +414,6 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn,
|
|||||||
MBEDTLS_SSL_MINOR_VERSION_1);
|
MBEDTLS_SSL_MINOR_VERSION_1);
|
||||||
infof(data, "mbedTLS: Set min SSL version to TLS 1.0\n");
|
infof(data, "mbedTLS: Set min SSL version to TLS 1.0\n");
|
||||||
break;
|
break;
|
||||||
case CURL_SSLVERSION_SSLv3:
|
|
||||||
mbedtls_ssl_conf_min_version(&backend->config, MBEDTLS_SSL_MAJOR_VERSION_3,
|
|
||||||
MBEDTLS_SSL_MINOR_VERSION_0);
|
|
||||||
mbedtls_ssl_conf_max_version(&backend->config, MBEDTLS_SSL_MAJOR_VERSION_3,
|
|
||||||
MBEDTLS_SSL_MINOR_VERSION_0);
|
|
||||||
infof(data, "mbedTLS: Set SSL version to SSLv3\n");
|
|
||||||
break;
|
|
||||||
case CURL_SSLVERSION_TLSv1_0:
|
case CURL_SSLVERSION_TLSv1_0:
|
||||||
case CURL_SSLVERSION_TLSv1_1:
|
case CURL_SSLVERSION_TLSv1_1:
|
||||||
case CURL_SSLVERSION_TLSv1_2:
|
case CURL_SSLVERSION_TLSv1_2:
|
||||||
|
@ -1699,8 +1699,7 @@ static CURLcode nss_sslver_from_curl(PRUint16 *nssver, long version)
|
|||||||
return CURLE_OK;
|
return CURLE_OK;
|
||||||
|
|
||||||
case CURL_SSLVERSION_SSLv3:
|
case CURL_SSLVERSION_SSLv3:
|
||||||
*nssver = SSL_LIBRARY_VERSION_3_0;
|
return CURLE_NOT_BUILT_IN;
|
||||||
return CURLE_OK;
|
|
||||||
|
|
||||||
case CURL_SSLVERSION_TLSv1_0:
|
case CURL_SSLVERSION_TLSv1_0:
|
||||||
*nssver = SSL_LIBRARY_VERSION_TLS_1_0;
|
*nssver = SSL_LIBRARY_VERSION_TLS_1_0;
|
||||||
|
@ -122,12 +122,6 @@
|
|||||||
#define HAVE_ERR_REMOVE_THREAD_STATE 1
|
#define HAVE_ERR_REMOVE_THREAD_STATE 1
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if !defined(HAVE_SSLV2_CLIENT_METHOD) || \
|
|
||||||
OPENSSL_VERSION_NUMBER >= 0x10100000L /* 1.1.0+ has no SSLv2 */
|
|
||||||
#undef OPENSSL_NO_SSL2 /* undef first to avoid compiler warnings */
|
|
||||||
#define OPENSSL_NO_SSL2
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && /* OpenSSL 1.1.0+ */ \
|
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && /* OpenSSL 1.1.0+ */ \
|
||||||
!(defined(LIBRESSL_VERSION_NUMBER) && \
|
!(defined(LIBRESSL_VERSION_NUMBER) && \
|
||||||
LIBRESSL_VERSION_NUMBER < 0x20700000L)
|
LIBRESSL_VERSION_NUMBER < 0x20700000L)
|
||||||
@ -2581,31 +2575,11 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
|
|||||||
use_sni(TRUE);
|
use_sni(TRUE);
|
||||||
break;
|
break;
|
||||||
case CURL_SSLVERSION_SSLv2:
|
case CURL_SSLVERSION_SSLv2:
|
||||||
#ifdef OPENSSL_NO_SSL2
|
failf(data, "No SSLv2 support");
|
||||||
failf(data, OSSL_PACKAGE " was built without SSLv2 support");
|
|
||||||
return CURLE_NOT_BUILT_IN;
|
return CURLE_NOT_BUILT_IN;
|
||||||
#else
|
|
||||||
#ifdef USE_OPENSSL_SRP
|
|
||||||
if(ssl_authtype == CURL_TLSAUTH_SRP)
|
|
||||||
return CURLE_SSL_CONNECT_ERROR;
|
|
||||||
#endif
|
|
||||||
req_method = SSLv2_client_method();
|
|
||||||
use_sni(FALSE);
|
|
||||||
break;
|
|
||||||
#endif
|
|
||||||
case CURL_SSLVERSION_SSLv3:
|
case CURL_SSLVERSION_SSLv3:
|
||||||
#ifdef OPENSSL_NO_SSL3_METHOD
|
failf(data, "No SSLv3 support");
|
||||||
failf(data, OSSL_PACKAGE " was built without SSLv3 support");
|
|
||||||
return CURLE_NOT_BUILT_IN;
|
return CURLE_NOT_BUILT_IN;
|
||||||
#else
|
|
||||||
#ifdef USE_OPENSSL_SRP
|
|
||||||
if(ssl_authtype == CURL_TLSAUTH_SRP)
|
|
||||||
return CURLE_SSL_CONNECT_ERROR;
|
|
||||||
#endif
|
|
||||||
req_method = SSLv3_client_method();
|
|
||||||
use_sni(FALSE);
|
|
||||||
break;
|
|
||||||
#endif
|
|
||||||
default:
|
default:
|
||||||
failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
|
failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
|
||||||
return CURLE_SSL_CONNECT_ERROR;
|
return CURLE_SSL_CONNECT_ERROR;
|
||||||
@ -2693,41 +2667,9 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
switch(ssl_version) {
|
switch(ssl_version) {
|
||||||
/* "--sslv2" option means SSLv2 only, disable all others */
|
|
||||||
case CURL_SSLVERSION_SSLv2:
|
case CURL_SSLVERSION_SSLv2:
|
||||||
#if OPENSSL_VERSION_NUMBER >= 0x10100000L /* 1.1.0 */
|
|
||||||
SSL_CTX_set_min_proto_version(backend->ctx, SSL2_VERSION);
|
|
||||||
SSL_CTX_set_max_proto_version(backend->ctx, SSL2_VERSION);
|
|
||||||
#else
|
|
||||||
ctx_options |= SSL_OP_NO_SSLv3;
|
|
||||||
ctx_options |= SSL_OP_NO_TLSv1;
|
|
||||||
# if OPENSSL_VERSION_NUMBER >= 0x1000100FL
|
|
||||||
ctx_options |= SSL_OP_NO_TLSv1_1;
|
|
||||||
ctx_options |= SSL_OP_NO_TLSv1_2;
|
|
||||||
# ifdef TLS1_3_VERSION
|
|
||||||
ctx_options |= SSL_OP_NO_TLSv1_3;
|
|
||||||
# endif
|
|
||||||
# endif
|
|
||||||
#endif
|
|
||||||
break;
|
|
||||||
|
|
||||||
/* "--sslv3" option means SSLv3 only, disable all others */
|
|
||||||
case CURL_SSLVERSION_SSLv3:
|
case CURL_SSLVERSION_SSLv3:
|
||||||
#if OPENSSL_VERSION_NUMBER >= 0x10100000L /* 1.1.0 */
|
return CURLE_NOT_BUILT_IN;
|
||||||
SSL_CTX_set_min_proto_version(backend->ctx, SSL3_VERSION);
|
|
||||||
SSL_CTX_set_max_proto_version(backend->ctx, SSL3_VERSION);
|
|
||||||
#else
|
|
||||||
ctx_options |= SSL_OP_NO_SSLv2;
|
|
||||||
ctx_options |= SSL_OP_NO_TLSv1;
|
|
||||||
# if OPENSSL_VERSION_NUMBER >= 0x1000100FL
|
|
||||||
ctx_options |= SSL_OP_NO_TLSv1_1;
|
|
||||||
ctx_options |= SSL_OP_NO_TLSv1_2;
|
|
||||||
# ifdef TLS1_3_VERSION
|
|
||||||
ctx_options |= SSL_OP_NO_TLSv1_3;
|
|
||||||
# endif
|
|
||||||
# endif
|
|
||||||
#endif
|
|
||||||
break;
|
|
||||||
|
|
||||||
/* "--tlsv<x.y>" options mean TLS >= version <x.y> */
|
/* "--tlsv<x.y>" options mean TLS >= version <x.y> */
|
||||||
case CURL_SSLVERSION_DEFAULT:
|
case CURL_SSLVERSION_DEFAULT:
|
||||||
|
@ -572,11 +572,9 @@ schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn,
|
|||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
case CURL_SSLVERSION_SSLv3:
|
case CURL_SSLVERSION_SSLv3:
|
||||||
schannel_cred.grbitEnabledProtocols = SP_PROT_SSL3_CLIENT;
|
|
||||||
break;
|
|
||||||
case CURL_SSLVERSION_SSLv2:
|
case CURL_SSLVERSION_SSLv2:
|
||||||
schannel_cred.grbitEnabledProtocols = SP_PROT_SSL2_CLIENT;
|
failf(data, "SSL versions not supported");
|
||||||
break;
|
return CURLE_NOT_BUILT_IN;
|
||||||
default:
|
default:
|
||||||
failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
|
failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
|
||||||
return CURLE_SSL_CONNECT_ERROR;
|
return CURLE_SSL_CONNECT_ERROR;
|
||||||
|
@ -1486,21 +1486,9 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
|
|||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
case CURL_SSLVERSION_SSLv3:
|
case CURL_SSLVERSION_SSLv3:
|
||||||
err = SSLSetProtocolVersionMin(backend->ssl_ctx, kSSLProtocol3);
|
|
||||||
if(err != noErr) {
|
|
||||||
failf(data, "Your version of the OS does not support SSLv3");
|
|
||||||
return CURLE_SSL_CONNECT_ERROR;
|
|
||||||
}
|
|
||||||
(void)SSLSetProtocolVersionMax(backend->ssl_ctx, kSSLProtocol3);
|
|
||||||
break;
|
|
||||||
case CURL_SSLVERSION_SSLv2:
|
case CURL_SSLVERSION_SSLv2:
|
||||||
err = SSLSetProtocolVersionMin(backend->ssl_ctx, kSSLProtocol2);
|
failf(data, "SSL versions not supported");
|
||||||
if(err != noErr) {
|
return CURLE_NOT_BUILT_IN;
|
||||||
failf(data, "Your version of the OS does not support SSLv2");
|
|
||||||
return CURLE_SSL_CONNECT_ERROR;
|
|
||||||
}
|
|
||||||
(void)SSLSetProtocolVersionMax(backend->ssl_ctx, kSSLProtocol2);
|
|
||||||
break;
|
|
||||||
default:
|
default:
|
||||||
failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
|
failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
|
||||||
return CURLE_SSL_CONNECT_ERROR;
|
return CURLE_SSL_CONNECT_ERROR;
|
||||||
@ -1535,23 +1523,9 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
|
|||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
case CURL_SSLVERSION_SSLv3:
|
case CURL_SSLVERSION_SSLv3:
|
||||||
err = SSLSetProtocolVersionEnabled(backend->ssl_ctx,
|
|
||||||
kSSLProtocol3,
|
|
||||||
true);
|
|
||||||
if(err != noErr) {
|
|
||||||
failf(data, "Your version of the OS does not support SSLv3");
|
|
||||||
return CURLE_SSL_CONNECT_ERROR;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
case CURL_SSLVERSION_SSLv2:
|
case CURL_SSLVERSION_SSLv2:
|
||||||
err = SSLSetProtocolVersionEnabled(backend->ssl_ctx,
|
failf(data, "SSL versions not supported");
|
||||||
kSSLProtocol2,
|
return CURLE_NOT_BUILT_IN;
|
||||||
true);
|
|
||||||
if(err != noErr) {
|
|
||||||
failf(data, "Your version of the OS does not support SSLv2");
|
|
||||||
return CURLE_SSL_CONNECT_ERROR;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
default:
|
default:
|
||||||
failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
|
failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
|
||||||
return CURLE_SSL_CONNECT_ERROR;
|
return CURLE_SSL_CONNECT_ERROR;
|
||||||
@ -1583,23 +1557,9 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
|
|||||||
failf(data, "Your version of the OS does not support TLSv1.3");
|
failf(data, "Your version of the OS does not support TLSv1.3");
|
||||||
return CURLE_SSL_CONNECT_ERROR;
|
return CURLE_SSL_CONNECT_ERROR;
|
||||||
case CURL_SSLVERSION_SSLv2:
|
case CURL_SSLVERSION_SSLv2:
|
||||||
err = SSLSetProtocolVersionEnabled(backend->ssl_ctx,
|
|
||||||
kSSLProtocol2,
|
|
||||||
true);
|
|
||||||
if(err != noErr) {
|
|
||||||
failf(data, "Your version of the OS does not support SSLv2");
|
|
||||||
return CURLE_SSL_CONNECT_ERROR;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
case CURL_SSLVERSION_SSLv3:
|
case CURL_SSLVERSION_SSLv3:
|
||||||
err = SSLSetProtocolVersionEnabled(backend->ssl_ctx,
|
failf(data, "SSL versions not supported");
|
||||||
kSSLProtocol3,
|
return CURLE_NOT_BUILT_IN;
|
||||||
true);
|
|
||||||
if(err != noErr) {
|
|
||||||
failf(data, "Your version of the OS does not support SSLv3");
|
|
||||||
return CURLE_SSL_CONNECT_ERROR;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
default:
|
default:
|
||||||
failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
|
failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
|
||||||
return CURLE_SSL_CONNECT_ERROR;
|
return CURLE_SSL_CONNECT_ERROR;
|
||||||
|
@ -47,16 +47,6 @@
|
|||||||
#endif
|
#endif
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
/* WOLFSSL_ALLOW_SSLV3 is wolfSSL's build time symbol for enabling SSLv3 in
|
|
||||||
options.h, but is only seen in >= 3.6.6 since that's when they started
|
|
||||||
disabling SSLv3 by default. */
|
|
||||||
#ifndef WOLFSSL_ALLOW_SSLV3
|
|
||||||
#if (LIBWOLFSSL_VERSION_HEX < 0x03006006) || \
|
|
||||||
defined(HAVE_WOLFSSLV3_CLIENT_METHOD)
|
|
||||||
#define WOLFSSL_ALLOW_SSLV3
|
|
||||||
#endif
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#include <limits.h>
|
#include <limits.h>
|
||||||
|
|
||||||
#include "urldata.h"
|
#include "urldata.h"
|
||||||
@ -285,18 +275,10 @@ wolfssl_connect_step1(struct Curl_easy *data, struct connectdata *conn,
|
|||||||
failf(data, "wolfSSL: TLS 1.3 is not yet supported");
|
failf(data, "wolfSSL: TLS 1.3 is not yet supported");
|
||||||
return CURLE_SSL_CONNECT_ERROR;
|
return CURLE_SSL_CONNECT_ERROR;
|
||||||
#endif
|
#endif
|
||||||
case CURL_SSLVERSION_SSLv3:
|
|
||||||
#ifdef WOLFSSL_ALLOW_SSLV3
|
|
||||||
req_method = SSLv3_client_method();
|
|
||||||
use_sni(FALSE);
|
|
||||||
#else
|
|
||||||
failf(data, "wolfSSL does not support SSLv3");
|
|
||||||
return CURLE_NOT_BUILT_IN;
|
|
||||||
#endif
|
|
||||||
break;
|
|
||||||
case CURL_SSLVERSION_SSLv2:
|
case CURL_SSLVERSION_SSLv2:
|
||||||
failf(data, "wolfSSL does not support SSLv2");
|
case CURL_SSLVERSION_SSLv3:
|
||||||
return CURLE_SSL_CONNECT_ERROR;
|
failf(data, "SSL versions not supported");
|
||||||
|
return CURLE_NOT_BUILT_IN;
|
||||||
default:
|
default:
|
||||||
failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
|
failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
|
||||||
return CURLE_SSL_CONNECT_ERROR;
|
return CURLE_SSL_CONNECT_ERROR;
|
||||||
|
Loading…
Reference in New Issue
Block a user