aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJay Satiro <raysatiro@yahoo.com>2015-03-25 02:40:00 -0400
committerDaniel Stenberg <daniel@haxx.se>2015-03-25 08:10:24 +0100
commite35f2e61ecf18153c9a0b152c1f1a8b3d9475cf3 (patch)
treedc0a4fdc7bac25eb9f0ca87af7385a8d8fa94e15
parentd29f8b460c9d4b5609c2330d97ecf9ffec210453 (diff)
cyassl: default to highest possible TLS version
(cyassl_connect_step1) - Use TLS 1.0-1.2 by default when available. CyaSSL/wolfSSL >= v3.3.0 supports setting a minimum protocol downgrade version. cyassl/cyassl@322f79f
-rw-r--r--lib/vtls/cyassl.c35
1 files changed, 27 insertions, 8 deletions
diff --git a/lib/vtls/cyassl.c b/lib/vtls/cyassl.c
index 72e1792df..5ba279e5b 100644
--- a/lib/vtls/cyassl.c
+++ b/lib/vtls/cyassl.c
@@ -90,20 +90,18 @@ cyassl_connect_step1(struct connectdata *conn,
if(conssl->state == ssl_connection_complete)
return CURLE_OK;
- /* CyaSSL doesn't support SSLv2 */
- if(data->set.ssl.version == CURL_SSLVERSION_SSLv2) {
- failf(data, "CyaSSL does not support SSLv2");
- return CURLE_SSL_CONNECT_ERROR;
- }
-
/* check to see if we've been told to use an explicit SSL/TLS version */
switch(data->set.ssl.version) {
- default:
case CURL_SSLVERSION_DEFAULT:
case CURL_SSLVERSION_TLSv1:
- infof(data, "CyaSSL cannot be configured to use TLS 1.0-1.2, "
+#if LIBCYASSL_VERSION_HEX >= 0x03003000 /* 3.3.0 */
+ /* the minimum version is set later after the SSL object is created */
+ req_method = SSLv23_client_method();
+#else
+ infof(data, "CyaSSL <3.3.0 cannot be configured to use TLS 1.0-1.2, "
"TLS 1.0 is used exclusively\n");
req_method = TLSv1_client_method();
+#endif
break;
case CURL_SSLVERSION_TLSv1_0:
req_method = TLSv1_client_method();
@@ -117,6 +115,12 @@ cyassl_connect_step1(struct connectdata *conn,
case CURL_SSLVERSION_SSLv3:
req_method = SSLv3_client_method();
break;
+ case CURL_SSLVERSION_SSLv2:
+ failf(data, "CyaSSL does not support SSLv2");
+ return CURLE_SSL_CONNECT_ERROR;
+ default:
+ failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
+ return CURLE_SSL_CONNECT_ERROR;
}
if(!req_method) {
@@ -210,6 +214,21 @@ cyassl_connect_step1(struct connectdata *conn,
return CURLE_OUT_OF_MEMORY;
}
+ switch(data->set.ssl.version) {
+ case CURL_SSLVERSION_DEFAULT:
+ case CURL_SSLVERSION_TLSv1:
+#if LIBCYASSL_VERSION_HEX >= 0x03003000 /* >= 3.3.0 */
+ /* short circuit evaluation to find minimum supported TLS version */
+ if((CyaSSL_SetMinVersion(conssl->handle, CYASSL_TLSV1) != SSL_SUCCESS) &&
+ (CyaSSL_SetMinVersion(conssl->handle, CYASSL_TLSV1_1) != SSL_SUCCESS) &&
+ (CyaSSL_SetMinVersion(conssl->handle, CYASSL_TLSV1_2) != SSL_SUCCESS)) {
+ failf(data, "SSL: couldn't set the minimum protocol version");
+ return CURLE_SSL_CONNECT_ERROR;
+ }
+#endif
+ break;
+ }
+
/* Check if there's a cached ID we can/should use here! */
if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL)) {
/* we got a session id, use it! */