diff options
author | Jozef Kralik <jozef.kralik@eset.sk> | 2016-12-13 21:10:00 +0100 |
---|---|---|
committer | Kamil Dudka <kdudka@redhat.com> | 2017-03-08 15:54:07 +0100 |
commit | 6448f98c1857de521fb2dd3f9d4e5659845b5474 (patch) | |
tree | 183b4febdb062f32be9113ae170e3b57f44a4b28 /lib/vtls/vtls.c | |
parent | b66690733642d764199eeb1b64aaaa2513c13db3 (diff) |
vtls: add options to specify range of enabled TLS versions
This commit introduces the CURL_SSLVERSION_MAX_* constants as well as
the --tls-max option of the curl tool.
Closes https://github.com/curl/curl/pull/1166
Diffstat (limited to 'lib/vtls/vtls.c')
-rw-r--r-- | lib/vtls/vtls.c | 19 |
1 files changed, 17 insertions, 2 deletions
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c index f40a97712..693380fb9 100644 --- a/lib/vtls/vtls.c +++ b/lib/vtls/vtls.c @@ -95,6 +95,7 @@ Curl_ssl_config_matches(struct ssl_primary_config* data, struct ssl_primary_config* needle) { if((data->version == needle->version) && + (data->version_max == needle->version_max) && (data->verifypeer == needle->verifypeer) && (data->verifyhost == needle->verifyhost) && Curl_safe_strcasecompare(data->CApath, needle->CApath) && @@ -113,6 +114,7 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, dest->verifyhost = source->verifyhost; dest->verifypeer = source->verifypeer; dest->version = source->version; + dest->version_max = source->version_max; CLONE_STRING(CAfile); CLONE_STRING(CApath); @@ -173,11 +175,24 @@ void Curl_ssl_cleanup(void) static bool ssl_prefs_check(struct Curl_easy *data) { /* check for CURLOPT_SSLVERSION invalid parameter value */ - if((data->set.ssl.primary.version < 0) - || (data->set.ssl.primary.version >= CURL_SSLVERSION_LAST)) { + const long sslver = data->set.ssl.primary.version; + if((sslver < 0) || (sslver >= CURL_SSLVERSION_LAST)) { failf(data, "Unrecognized parameter value passed via CURLOPT_SSLVERSION"); return FALSE; } + + switch(data->set.ssl.primary.version_max) { + case CURL_SSLVERSION_MAX_NONE: + case CURL_SSLVERSION_MAX_DEFAULT: + break; + + default: + if((data->set.ssl.primary.version_max >> 16) < sslver) { + failf(data, "CURL_SSLVERSION_MAX incompatible with CURL_SSLVERSION"); + return FALSE; + } + } + return TRUE; } |