diff options
| author | Kamil Dudka <kdudka@redhat.com> | 2016-10-27 14:27:25 +0200 |
|---|---|---|
| committer | Kamil Dudka <kdudka@redhat.com> | 2016-11-07 11:51:33 +0100 |
| commit | 5d45ced7a45ea38e32f1cbf73d7c63a3e4f241e7 (patch) | |
| tree | 969ddbf2199d6742842aad01d0b045766fd3b556 | |
| parent | 27302abb9467f21a481fcc6b8eca53d34e04373b (diff) | |
nss: map CURL_SSLVERSION_DEFAULT to NSS default
... but make sure we use at least TLSv1.0 according to libcurl API
Reported-by: Cure53
Reviewed-by: Ray Satiro
| -rw-r--r-- | RELEASE-NOTES | 1 | ||||
| -rw-r--r-- | lib/vtls/nss.c | 14 |
2 files changed, 14 insertions, 1 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES index d224476d5..9a4737820 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -8,6 +8,7 @@ Curl and libcurl 7.51.1 This release includes the following changes: + o nss: map CURL_SSLVERSION_DEFAULT to NSS default o This release includes the following bugfixes: diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c index dff15758f..5abb57427 100644 --- a/lib/vtls/nss.c +++ b/lib/vtls/nss.c @@ -1489,10 +1489,18 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver, struct Curl_easy *data) { switch(data->set.ssl.version) { - default: case CURL_SSLVERSION_DEFAULT: + /* map CURL_SSLVERSION_DEFAULT to NSS default */ + if(SSL_VersionRangeGetDefault(ssl_variant_stream, sslver) != SECSuccess) + return CURLE_SSL_CONNECT_ERROR; + /* ... but make sure we use at least TLSv1.0 according to libcurl API */ + if(sslver->min < SSL_LIBRARY_VERSION_TLS_1_0) + sslver->min = SSL_LIBRARY_VERSION_TLS_1_0; + return CURLE_OK; + case CURL_SSLVERSION_TLSv1: sslver->min = SSL_LIBRARY_VERSION_TLS_1_0; + /* TODO: set sslver->max to SSL_LIBRARY_VERSION_TLS_1_3 once stable */ #ifdef SSL_LIBRARY_VERSION_TLS_1_2 sslver->max = SSL_LIBRARY_VERSION_TLS_1_2; #elif defined SSL_LIBRARY_VERSION_TLS_1_1 @@ -1532,6 +1540,10 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver, return CURLE_OK; #endif break; + + default: + /* unsupported SSL/TLS version */ + break; } failf(data, "TLS minor version cannot be set"); |