aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPeter Wu <peter@lekensteyn.nl>2019-08-03 16:53:42 +0100
committerPeter Wu <peter@lekensteyn.nl>2019-08-13 21:59:30 +0100
commitcc5fae5dacd240cd013995173705efdc68f26e34 (patch)
treef2e1fe6cadac44cb46bb7da45cf6d553b352cb33
parent362d59edabe126b52fb626300d3f28054ea0f54c (diff)
nss: use TLSv1.3 as default if supported
SSL_VersionRangeGetDefault returns (TLSv1.0, TLSv1.2) as supported range in NSS 3.45. It looks like the intention is to raise the minimum version rather than lowering the maximum, so adjust accordingly. Note that the caller (nss_setup_connect) initializes the version range to (TLSv1.0, TLSv1.3), so there is no need to check for >= TLSv1.0 again. Closes #4187 Reviewed-by: Daniel Stenberg Reviewed-by: Kamil Dudka
-rw-r--r--lib/vtls/nss.c16
1 files changed, 6 insertions, 10 deletions
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index 482fd5e99..435f3e93a 100644
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -1734,20 +1734,16 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
CURLcode result;
const long min = SSL_CONN_CONFIG(version);
const long max = SSL_CONN_CONFIG(version_max);
-
- /* map CURL_SSLVERSION_DEFAULT to NSS default */
- if(min == CURL_SSLVERSION_DEFAULT || max == CURL_SSLVERSION_MAX_DEFAULT) {
- /* map CURL_SSLVERSION_DEFAULT to NSS default */
- if(SSL_VersionRangeGetDefault(ssl_variant_stream, sslver) != SECSuccess)
- return CURLE_SSL_CONNECT_ERROR;
- /* ... but make sure we use at least TLSv1.0 according to libcurl API */
- if(sslver->min < SSL_LIBRARY_VERSION_TLS_1_0)
- sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
- }
+ SSLVersionRange vrange;
switch(min) {
case CURL_SSLVERSION_TLSv1:
case CURL_SSLVERSION_DEFAULT:
+ /* Bump our minimum TLS version if NSS has stricter requirements. */
+ if(SSL_VersionRangeGetDefault(ssl_variant_stream, &vrange) != SECSuccess)
+ return CURLE_SSL_CONNECT_ERROR;
+ if(sslver->min < vrange.min)
+ sslver->min = vrange.min;
break;
default:
result = nss_sslver_from_curl(&sslver->min, min);