aboutsummaryrefslogtreecommitdiff
path: root/lib/vtls
diff options
context:
space:
mode:
authorBarry Abrahamson <barry@automattic.com>2014-01-01 23:50:45 +0100
committerDaniel Stenberg <daniel@haxx.se>2014-01-02 23:41:33 +0100
commit4bb74005298bb0c517360582b90efafd540bf8f1 (patch)
tree80e7101eee33ca56a5495adca9622c45fdab037f /lib/vtls
parent303172d220669774c53cc8ffd244ce82a72b737d (diff)
OpenSSL: Fix forcing SSLv3 connections
Some feedback provided by byte_bucket on IRC pointed out that commit db11750cfa5b1 wasn’t really correct because it allows for “upgrading” to a newer protocol when it should be only allowing for SSLv3. This change fixes that. When SSLv3 connection is forced, don't allow SSL negotiations for newer versions. Feedback provided by byte_bucket in #curl. This behavior is also consistent with the other force flags like --tlsv1.1 which doesn't allow for TLSv1.2 negotiation, etc Feedback-by: byte_bucket Bug: http://curl.haxx.se/bug/view.cgi?id=1319
Diffstat (limited to 'lib/vtls')
-rw-r--r--lib/vtls/openssl.c10
1 files changed, 9 insertions, 1 deletions
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index bc22bb888..b3ab99208 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -1551,7 +1551,6 @@ ossl_connect_step1(struct connectdata *conn,
switch(data->set.ssl.version) {
case CURL_SSLVERSION_DEFAULT:
- case CURL_SSLVERSION_SSLv3:
ctx_options |= SSL_OP_NO_SSLv2;
#ifdef USE_TLS_SRP
if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
@@ -1561,6 +1560,15 @@ ossl_connect_step1(struct connectdata *conn,
#endif
break;
+ case CURL_SSLVERSION_SSLv3:
+ ctx_options |= SSL_OP_NO_SSLv2;
+ ctx_options |= SSL_OP_NO_TLSv1;
+#if OPENSSL_VERSION_NUMBER >= 0x1000100FL
+ ctx_options |= SSL_OP_NO_TLSv1_1;
+ ctx_options |= SSL_OP_NO_TLSv1_2;
+#endif
+ break;
+
case CURL_SSLVERSION_TLSv1:
ctx_options |= SSL_OP_NO_SSLv2;
ctx_options |= SSL_OP_NO_SSLv3;