diff options
author | Gergely Nagy <ngg@tresorit.com> | 2013-09-19 15:17:13 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2013-10-15 20:26:47 +0200 |
commit | ad34a2d5c87c7f4b14e8dded34569395de0d8c5b (patch) | |
tree | a04f58cee7781e3b0fcf4d5701ccc53f547f8d38 /lib/ssluse.c | |
parent | 31e106c01c594190432c386e3d1de87af6c4f242 (diff) |
SSL: protocol version can be specified more precisely
CURL_SSLVERSION_TLSv1_0, CURL_SSLVERSION_TLSv1_1,
CURL_SSLVERSION_TLSv1_2 enum values are added to force exact TLS version
(CURL_SSLVERSION_TLSv1 means TLS 1.x).
axTLS:
axTLS only supports TLS 1.0 and 1.1 but it cannot be set that only one
of these should be used, so we don't allow the new enum values.
darwinssl:
Added support for the new enum values.
SChannel:
Added support for the new enum values.
CyaSSL:
Added support for the new enum values.
Bug: The original CURL_SSLVERSION_TLSv1 value enables only TLS 1.0 (it
did the same before this commit), because CyaSSL cannot be configured to
use TLS 1.0-1.2.
GSKit:
GSKit doesn't seem to support TLS 1.1 and TLS 1.2, so we do not allow
those values.
Bugfix: There was a typo that caused wrong SSL versions to be passed to
GSKit.
NSS:
TLS minor version cannot be set, so we don't allow the new enum values.
QsoSSL:
TLS minor version cannot be set, so we don't allow the new enum values.
OpenSSL:
Added support for the new enum values.
Bugfix: The original CURL_SSLVERSION_TLSv1 value enabled only TLS 1.0,
now it enables 1.0-1.2.
Command-line tool:
Added command line options for the new values.
Diffstat (limited to 'lib/ssluse.c')
-rw-r--r-- | lib/ssluse.c | 51 |
1 files changed, 37 insertions, 14 deletions
diff --git a/lib/ssluse.c b/lib/ssluse.c index c747420f6..84fd73738 100644 --- a/lib/ssluse.c +++ b/lib/ssluse.c @@ -1431,19 +1431,12 @@ ossl_connect_step1(struct connectdata *conn, switch(data->set.ssl.version) { default: case CURL_SSLVERSION_DEFAULT: -#ifdef USE_TLS_SRP - if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) { - infof(data, "Set version TLSv1 for SRP authorisation\n"); - req_method = TLSv1_client_method() ; - } - else -#endif - /* we try to figure out version */ - req_method = SSLv23_client_method(); - use_sni(TRUE); - break; case CURL_SSLVERSION_TLSv1: - req_method = TLSv1_client_method(); + case CURL_SSLVERSION_TLSv1_0: + case CURL_SSLVERSION_TLSv1_1: + case CURL_SSLVERSION_TLSv1_2: + /* it will be handled later with the context options */ + req_method = SSLv23_client_method(); use_sni(TRUE); break; case CURL_SSLVERSION_SSLv2: @@ -1556,9 +1549,39 @@ ossl_connect_step1(struct connectdata *conn, ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; #endif - /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */ - if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT) + switch(data->set.ssl.version) { + case CURL_SSLVERSION_DEFAULT: + ctx_options |= SSL_OP_NO_SSLv2; +#ifdef USE_TLS_SRP + if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) { + infof(data, "Set version TLSv1.x for SRP authorisation\n"); + ctx_options |= SSL_OP_NO_SSLv3; + } +#endif + break; + case CURL_SSLVERSION_TLSv1: + ctx_options |= SSL_OP_NO_SSLv2; + ctx_options |= SSL_OP_NO_SSLv3; + break; + case CURL_SSLVERSION_TLSv1_0: ctx_options |= SSL_OP_NO_SSLv2; + ctx_options |= SSL_OP_NO_SSLv3; + ctx_options |= SSL_OP_NO_TLSv1_1; + ctx_options |= SSL_OP_NO_TLSv1_2; + break; + case CURL_SSLVERSION_TLSv1_1: + ctx_options |= SSL_OP_NO_SSLv2; + ctx_options |= SSL_OP_NO_SSLv3; + ctx_options |= SSL_OP_NO_TLSv1; + ctx_options |= SSL_OP_NO_TLSv1_2; + break; + case CURL_SSLVERSION_TLSv1_2: + ctx_options |= SSL_OP_NO_SSLv2; + ctx_options |= SSL_OP_NO_SSLv3; + ctx_options |= SSL_OP_NO_TLSv1; + ctx_options |= SSL_OP_NO_TLSv1_1; + break; + } SSL_CTX_set_options(connssl->ctx, ctx_options); |