aboutsummaryrefslogtreecommitdiff
path: root/docs/libcurl/opts
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2018-06-28 23:24:21 +0200
committerDaniel Stenberg <daniel@haxx.se>2018-06-29 22:53:02 +0200
commit6015cefb1b2cfde4b4850121c42405275e5e77d9 (patch)
tree3a42ba355562498d6d4885f00812a548833a7251 /docs/libcurl/opts
parentb83e3e603fe59d49d947337b23f7eebdfa82ca01 (diff)
openssl: make the requested TLS version the *minimum* wanted
The code treated the set version as the *exact* version to require in the TLS handshake, which is not what other TLS backends do and probably not what most people expect either. Reported-by: Andreas Olsson Assisted-by: Gaurav Malhotra Fixes #2691 Closes #2694
Diffstat (limited to 'docs/libcurl/opts')
-rw-r--r--docs/libcurl/opts/CURLOPT_SSLVERSION.342
1 files changed, 24 insertions, 18 deletions
diff --git a/docs/libcurl/opts/CURLOPT_SSLVERSION.3 b/docs/libcurl/opts/CURLOPT_SSLVERSION.3
index 807057be5..f9b982ac1 100644
--- a/docs/libcurl/opts/CURLOPT_SSLVERSION.3
+++ b/docs/libcurl/opts/CURLOPT_SSLVERSION.3
@@ -5,7 +5,7 @@
.\" * | (__| |_| | _ <| |___
.\" * \___|\___/|_| \_\_____|
.\" *
-.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" * Copyright (C) 1998 - 2015, 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
.\" *
.\" * This software is licensed as described in the file COPYING, which
.\" * you should have received as part of this distribution. The terms
@@ -28,49 +28,55 @@ CURLOPT_SSLVERSION \- set preferred TLS/SSL version
CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSLVERSION, long version);
.SH DESCRIPTION
-Pass a long as parameter to control which version of SSL/TLS to attempt to
+Pass a long as parameter to control which version range of SSL/TLS versions to
use.
+The SSL and TLS versions have typically developed from the most insecure
+version to be more and more secure in this order through history: SSL v2,
+SSLv3, TLS v1.0, TSL v1.1, TSL v1.2 and the most recent TLS v1.3.
+
Use one of the available defines for this purpose. The available options are:
.RS
.IP CURL_SSLVERSION_DEFAULT
-The default action. This will attempt to figure out the remote SSL protocol
-version.
+The default acceptable version range. The mimimum acceptable version is by
+default TLS 1.0 since 7.39.0 (unless the TLS library has a stricter rule).
.IP CURL_SSLVERSION_TLSv1
-TLSv1.x
+TLS v1.0 or later
.IP CURL_SSLVERSION_SSLv2
-SSLv2
+SSL v2 (but not SSLv3)
.IP CURL_SSLVERSION_SSLv3
-SSLv3
+SSL v3 (but not SSLv2)
.IP CURL_SSLVERSION_TLSv1_0
-TLSv1.0 (Added in 7.34.0)
+TLS v1.0 or later (Added in 7.34.0)
.IP CURL_SSLVERSION_TLSv1_1
-TLSv1.1 (Added in 7.34.0)
+TLS v1.1 or later (Added in 7.34.0)
.IP CURL_SSLVERSION_TLSv1_2
-TLSv1.2 (Added in 7.34.0)
+TLS v1.2 or later (Added in 7.34.0)
.IP CURL_SSLVERSION_TLSv1_3
-TLSv1.3 (Added in 7.52.0)
+TLS v1.3 or later (Added in 7.52.0)
.RE
+
The maximum TLS version can be set by using \fIone\fP of the
CURL_SSLVERSION_MAX_ macros below. It is also possible to OR \fIone\fP of the
CURL_SSLVERSION_ macros with \fIone\fP of the CURL_SSLVERSION_MAX_ macros.
The MAX macros are not supported for SSL backends axTLS or wolfSSL.
.RS
.IP CURL_SSLVERSION_MAX_DEFAULT
-The flag defines the maximum supported TLS version as TLSv1.2, or the default
-value from the SSL library.
-(Added in 7.54.0)
+The flag defines the maximum supported TLS version by libcurl, or the default
+value from the SSL library is used. libcurl will use a sensible default
+maximum, which was TLS 1.2 up to before 7.61.0 and is TLS 1.3 since then -
+assuming the TLS library support it. (Added in 7.54.0)
.IP CURL_SSLVERSION_MAX_TLSv1_0
-The flag defines maximum supported TLS version as TLSv1.0.
+The flag defines maximum supported TLS version as TLS v1.0.
(Added in 7.54.0)
.IP CURL_SSLVERSION_MAX_TLSv1_1
-The flag defines maximum supported TLS version as TLSv1.1.
+The flag defines maximum supported TLS version as TLS v1.1.
(Added in 7.54.0)
.IP CURL_SSLVERSION_MAX_TLSv1_2
-The flag defines maximum supported TLS version as TLSv1.2.
+The flag defines maximum supported TLS version as TLS v1.2.
(Added in 7.54.0)
.IP CURL_SSLVERSION_MAX_TLSv1_3
-The flag defines maximum supported TLS version as TLSv1.3.
+The flag defines maximum supported TLS version as TLS v1.3.
(Added in 7.54.0)
.RE
.SH DEFAULT