aboutsummaryrefslogtreecommitdiff
path: root/lib/vtls
diff options
context:
space:
mode:
authorJay Satiro <raysatiro@yahoo.com>2016-03-05 21:35:16 -0500
committerJay Satiro <raysatiro@yahoo.com>2016-03-05 21:39:36 -0500
commit81bdd85318da503df9320fb04267da12a8ec9e5f (patch)
tree95c9840223995792b9dbd46a52f58f12649f7e61 /lib/vtls
parentb188fe407dbc8a208bb995dec29342e0b90dc435 (diff)
mbedtls: fix user-specified SSL protocol version
Prior to this change when a single protocol CURL_SSLVERSION_ was specified by the user that version was set only as the minimum version but not as the maximum version as well.
Diffstat (limited to 'lib/vtls')
-rw-r--r--lib/vtls/mbedtls.c25
1 files changed, 21 insertions, 4 deletions
diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
index 0cfa9cce1..7e0760316 100644
--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@@ -325,26 +325,43 @@ mbedtls_connect_step1(struct connectdata *conn,
&mbedtls_x509_crt_profile_fr);
switch(data->set.ssl.version) {
+ case CURL_SSLVERSION_DEFAULT:
+ case CURL_SSLVERSION_TLSv1:
+ mbedtls_ssl_conf_min_version(&connssl->config, MBEDTLS_SSL_MAJOR_VERSION_3,
+ MBEDTLS_SSL_MINOR_VERSION_1);
+ infof(data, "mbedTLS: Set min SSL version to TLS 1.0\n");
+ break;
case CURL_SSLVERSION_SSLv3:
mbedtls_ssl_conf_min_version(&connssl->config, MBEDTLS_SSL_MAJOR_VERSION_3,
MBEDTLS_SSL_MINOR_VERSION_0);
- infof(data, "mbedTLS: Forced min. SSL Version to be SSLv3\n");
+ mbedtls_ssl_conf_max_version(&connssl->config, MBEDTLS_SSL_MAJOR_VERSION_3,
+ MBEDTLS_SSL_MINOR_VERSION_0);
+ infof(data, "mbedTLS: Set SSL version to SSLv3\n");
break;
case CURL_SSLVERSION_TLSv1_0:
mbedtls_ssl_conf_min_version(&connssl->config, MBEDTLS_SSL_MAJOR_VERSION_3,
MBEDTLS_SSL_MINOR_VERSION_1);
- infof(data, "mbedTLS: Forced min. SSL Version to be TLS 1.0\n");
+ mbedtls_ssl_conf_max_version(&connssl->config, MBEDTLS_SSL_MAJOR_VERSION_3,
+ MBEDTLS_SSL_MINOR_VERSION_1);
+ infof(data, "mbedTLS: Set SSL version to TLS 1.0\n");
break;
case CURL_SSLVERSION_TLSv1_1:
mbedtls_ssl_conf_min_version(&connssl->config, MBEDTLS_SSL_MAJOR_VERSION_3,
MBEDTLS_SSL_MINOR_VERSION_2);
- infof(data, "mbedTLS: Forced min. SSL Version to be TLS 1.1\n");
+ mbedtls_ssl_conf_max_version(&connssl->config, MBEDTLS_SSL_MAJOR_VERSION_3,
+ MBEDTLS_SSL_MINOR_VERSION_2);
+ infof(data, "mbedTLS: Set SSL version to TLS 1.1\n");
break;
case CURL_SSLVERSION_TLSv1_2:
mbedtls_ssl_conf_min_version(&connssl->config, MBEDTLS_SSL_MAJOR_VERSION_3,
MBEDTLS_SSL_MINOR_VERSION_3);
- infof(data, "mbedTLS: Forced min. SSL Version to be TLS 1.2\n");
+ mbedtls_ssl_conf_max_version(&connssl->config, MBEDTLS_SSL_MAJOR_VERSION_3,
+ MBEDTLS_SSL_MINOR_VERSION_3);
+ infof(data, "mbedTLS: Set SSL version to TLS 1.2\n");
break;
+ default:
+ failf(data, "mbedTLS: Unsupported SSL protocol version");
+ return CURLE_SSL_CONNECT_ERROR;
}
mbedtls_ssl_conf_authmode(&connssl->config, MBEDTLS_SSL_VERIFY_OPTIONAL);