diff options
author | Nick Zitzmann <nickzman@gmail.com> | 2013-07-02 19:34:54 -0600 |
---|---|---|
committer | Nick Zitzmann <nickzman@gmail.com> | 2013-07-02 19:34:54 -0600 |
commit | d633052905d430565db47d22dfc42011a3ca2c01 (patch) | |
tree | da2aeb60ef4139b4631bd3688924dede056cf073 /lib | |
parent | abca89aaa0fb208cfaf4ead6692014c4e553388a (diff) |
darwinssl: SSLv2 connections are aborted if unsupported by the OS
I just noticed that OS X no longer supports SSLv2. Other TLS engines return
an error if the requested protocol isn't supported by the underlying
engine, so we do that now for SSLv2 if the framework returns an error
when trying to turn on SSLv2 support. (Note: As always, SSLv2 support is
only enabled in curl when starting the app with the -2 argument; it's off
by default. SSLv2 is really old and insecure.)
Diffstat (limited to 'lib')
-rw-r--r-- | lib/curl_darwinssl.c | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/lib/curl_darwinssl.c b/lib/curl_darwinssl.c index 82a339b0a..2d5d564b7 100644 --- a/lib/curl_darwinssl.c +++ b/lib/curl_darwinssl.c @@ -891,7 +891,11 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kSSLProtocol3); break; case CURL_SSLVERSION_SSLv2: - (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kSSLProtocol2); + err = SSLSetProtocolVersionMin(connssl->ssl_ctx, kSSLProtocol2); + if(err != noErr) { + failf(data, "Your version of the OS does not support SSLv2"); + return CURLE_SSL_CONNECT_ERROR; + } (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kSSLProtocol2); } } @@ -932,9 +936,13 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, true); break; case CURL_SSLVERSION_SSLv2: - (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, + err = SSLSetProtocolVersionEnabled(connssl->ssl_ctx, kSSLProtocol2, true); + if(err != noErr) { + failf(data, "Your version of the OS does not support SSLv2"); + return CURLE_SSL_CONNECT_ERROR; + } break; } #endif /* CURL_SUPPORT_MAC_10_8 */ @@ -957,9 +965,13 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, true); break; case CURL_SSLVERSION_SSLv2: - (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, + err = SSLSetProtocolVersionEnabled(connssl->ssl_ctx, kSSLProtocol2, true); + if(err != noErr) { + failf(data, "Your version of the OS does not support SSLv2"); + return CURLE_SSL_CONNECT_ERROR; + } break; case CURL_SSLVERSION_SSLv3: (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, |