diff options
| author | Gergely Nagy <ngg@tresorit.com> | 2013-09-19 15:17:13 +0200 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2013-10-15 20:26:47 +0200 |
| commit | ad34a2d5c87c7f4b14e8dded34569395de0d8c5b (patch) | |
| tree | a04f58cee7781e3b0fcf4d5701ccc53f547f8d38 /lib/gskit.c | |
| parent | 31e106c01c594190432c386e3d1de87af6c4f242 (diff) | |
SSL: protocol version can be specified more precisely
CURL_SSLVERSION_TLSv1_0, CURL_SSLVERSION_TLSv1_1,
CURL_SSLVERSION_TLSv1_2 enum values are added to force exact TLS version
(CURL_SSLVERSION_TLSv1 means TLS 1.x).
axTLS:
axTLS only supports TLS 1.0 and 1.1 but it cannot be set that only one
of these should be used, so we don't allow the new enum values.
darwinssl:
Added support for the new enum values.
SChannel:
Added support for the new enum values.
CyaSSL:
Added support for the new enum values.
Bug: The original CURL_SSLVERSION_TLSv1 value enables only TLS 1.0 (it
did the same before this commit), because CyaSSL cannot be configured to
use TLS 1.0-1.2.
GSKit:
GSKit doesn't seem to support TLS 1.1 and TLS 1.2, so we do not allow
those values.
Bugfix: There was a typo that caused wrong SSL versions to be passed to
GSKit.
NSS:
TLS minor version cannot be set, so we don't allow the new enum values.
QsoSSL:
TLS minor version cannot be set, so we don't allow the new enum values.
OpenSSL:
Added support for the new enum values.
Bugfix: The original CURL_SSLVERSION_TLSv1 value enabled only TLS 1.0,
now it enables 1.0-1.2.
Command-line tool:
Added command line options for the new values.
Diffstat (limited to 'lib/gskit.c')
| -rw-r--r-- | lib/gskit.c | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/lib/gskit.c b/lib/gskit.c index 5cda85b9b..187c58d7a 100644 --- a/lib/gskit.c +++ b/lib/gskit.c @@ -503,8 +503,17 @@ static CURLcode gskit_connect_step1(struct connectdata * conn, int sockindex) sni = (char *) NULL; break; case CURL_SSLVERSION_TLSv1: + case CURL_SSLVERSION_TLSv1_0: tlsv1enable = true; break; + case CURL_SSLVERSION_TLSv1_1: + failf(data, "GSKit doesn't support TLS 1.1!"); + cc = CURLE_SSL_CONNECT_ERROR; + break; + case CURL_SSLVERSION_TLSv1_2: + failf(data, "GSKit doesn't support TLS 1.2!"); + cc = CURLE_SSL_CONNECT_ERROR; + break; default: /* CURL_SSLVERSION_DEFAULT. */ sslv3enable = true; tlsv1enable = true; @@ -555,7 +564,7 @@ static CURLcode gskit_connect_step1(struct connectdata * conn, int sockindex) GSK_PROTOCOL_SSLV3_OFF); if(cc == CURLE_OK) cc = set_enum(data, connssl->handle, GSK_PROTOCOL_TLSV1, - sslv3enable? GSK_PROTOCOL_TLSV1_ON: + tlsv1enable? GSK_PROTOCOL_TLSV1_ON: GSK_PROTOCOL_TLSV1_OFF); if(cc == CURLE_OK) cc = set_enum(data, connssl->handle, GSK_SERVER_AUTH_TYPE, |