diff options
| author | Gunter Knauf <gk@gknw.de> | 2008-02-19 23:10:07 +0000 |
|---|---|---|
| committer | Gunter Knauf <gk@gknw.de> | 2008-02-19 23:10:07 +0000 |
| commit | f9a60620818b6a19ebe3e6f15e1b57d7012e6fb0 (patch) | |
| tree | c2bc254dd996004ffef3b7af8eb66b36d1010bf1 | |
| parent | 0cae2010440de8757a3a15792892d52d8e158bd6 (diff) | |
applied patch to disable SSLv2 by default; discussion:
http://sourceforge.net/tracker/index.php?func=detail&aid=1767276&group_id=976&atid=350976
Submitted by Kaspar Brand.
| -rw-r--r-- | docs/libcurl/curl_easy_setopt.3 | 7 | ||||
| -rw-r--r-- | lib/nss.c | 5 | ||||
| -rw-r--r-- | lib/qssl.c | 4 | ||||
| -rw-r--r-- | lib/ssluse.c | 4 |
4 files changed, 13 insertions, 7 deletions
diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3 index dec4371e1..0da9d20bf 100644 --- a/docs/libcurl/curl_easy_setopt.3 +++ b/docs/libcurl/curl_easy_setopt.3 @@ -1379,10 +1379,9 @@ Pass a long as parameter to control what version of SSL/TLS to attempt to use. The available options are: .RS .IP CURL_SSLVERSION_DEFAULT -The default action. When libcurl built with OpenSSL or NSS, this will attempt -to figure out the remote SSL protocol version. Unfortunately there are a lot of -ancient and broken servers in use which cannot handle this technique and will -fail to connect. When libcurl is built with GnuTLS, this will mean SSLv3. +The default action. This will attempt to figure out the remote SSL protocol +version, i.e. either SSLv3 or TLSv1 (but not SSLv2, which became disabled +by default with 7.18.1). .IP CURL_SSLVERSION_TLSv1 Force TLSv1 .IP CURL_SSLVERSION_SSLv2 @@ -873,7 +873,7 @@ CURLcode Curl_nss_connect(struct connectdata * conn, int sockindex) switch (data->set.ssl.version) { default: case CURL_SSLVERSION_DEFAULT: - ssl2 = ssl3 = tlsv1 = PR_TRUE; + ssl3 = tlsv1 = PR_TRUE; break; case CURL_SSLVERSION_TLSv1: tlsv1 = PR_TRUE; @@ -893,6 +893,9 @@ CURLcode Curl_nss_connect(struct connectdata * conn, int sockindex) if(SSL_OptionSet(model, SSL_ENABLE_TLS, tlsv1) != SECSuccess) goto error; + if(SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, ssl2) != SECSuccess) + goto error; + if(data->set.ssl.cipher_list) { if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) { curlerr = CURLE_SSL_CIPHER; diff --git a/lib/qssl.c b/lib/qssl.c index d89f01730..0252b465e 100644 --- a/lib/qssl.c +++ b/lib/qssl.c @@ -90,7 +90,7 @@ static CURLcode Curl_qsossl_init_session(struct SessionHandle * data) memset((char *) &initappstr, 0, sizeof initappstr); initappstr.applicationID = certname; initappstr.applicationIDLen = strlen(certname); - initappstr.protocol = SSL_VERSION_CURRENT; + initappstr.protocol = TLSV1_SSLV3; initappstr.sessionType = SSL_REGISTERED_AS_CLIENT; rc = SSL_Init_Application(&initappstr); @@ -190,7 +190,7 @@ static CURLcode Curl_qsossl_handshake(struct connectdata * conn, int sockindex) default: case CURL_SSLVERSION_DEFAULT: - h->protocol = SSL_VERSION_CURRENT; + h->protocol = TLSV1_SSLV3; break; case CURL_SSLVERSION_TLSv1: diff --git a/lib/ssluse.c b/lib/ssluse.c index e8a2e03c9..1e9b48a49 100644 --- a/lib/ssluse.c +++ b/lib/ssluse.c @@ -1324,6 +1324,10 @@ ossl_connect_step1(struct connectdata *conn, */ SSL_CTX_set_options(connssl->ctx, SSL_OP_ALL); + /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */ + if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT) + SSL_CTX_set_options(connssl->ctx, SSL_OP_NO_SSLv2); + #if 0 /* * Not sure it's needed to tell SSL_connect() that socket is |