aboutsummaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorGunter Knauf <gk@gknw.de>2008-02-19 23:10:07 +0000
committerGunter Knauf <gk@gknw.de>2008-02-19 23:10:07 +0000
commitf9a60620818b6a19ebe3e6f15e1b57d7012e6fb0 (patch)
treec2bc254dd996004ffef3b7af8eb66b36d1010bf1 /lib
parent0cae2010440de8757a3a15792892d52d8e158bd6 (diff)
applied patch to disable SSLv2 by default; discussion:
http://sourceforge.net/tracker/index.php?func=detail&aid=1767276&group_id=976&atid=350976 Submitted by Kaspar Brand.
Diffstat (limited to 'lib')
-rw-r--r--lib/nss.c5
-rw-r--r--lib/qssl.c4
-rw-r--r--lib/ssluse.c4
3 files changed, 10 insertions, 3 deletions
diff --git a/lib/nss.c b/lib/nss.c
index b8f2ddd5c..6e3ee8604 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -873,7 +873,7 @@ CURLcode Curl_nss_connect(struct connectdata * conn, int sockindex)
switch (data->set.ssl.version) {
default:
case CURL_SSLVERSION_DEFAULT:
- ssl2 = ssl3 = tlsv1 = PR_TRUE;
+ ssl3 = tlsv1 = PR_TRUE;
break;
case CURL_SSLVERSION_TLSv1:
tlsv1 = PR_TRUE;
@@ -893,6 +893,9 @@ CURLcode Curl_nss_connect(struct connectdata * conn, int sockindex)
if(SSL_OptionSet(model, SSL_ENABLE_TLS, tlsv1) != SECSuccess)
goto error;
+ if(SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, ssl2) != SECSuccess)
+ goto error;
+
if(data->set.ssl.cipher_list) {
if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) {
curlerr = CURLE_SSL_CIPHER;
diff --git a/lib/qssl.c b/lib/qssl.c
index d89f01730..0252b465e 100644
--- a/lib/qssl.c
+++ b/lib/qssl.c
@@ -90,7 +90,7 @@ static CURLcode Curl_qsossl_init_session(struct SessionHandle * data)
memset((char *) &initappstr, 0, sizeof initappstr);
initappstr.applicationID = certname;
initappstr.applicationIDLen = strlen(certname);
- initappstr.protocol = SSL_VERSION_CURRENT;
+ initappstr.protocol = TLSV1_SSLV3;
initappstr.sessionType = SSL_REGISTERED_AS_CLIENT;
rc = SSL_Init_Application(&initappstr);
@@ -190,7 +190,7 @@ static CURLcode Curl_qsossl_handshake(struct connectdata * conn, int sockindex)
default:
case CURL_SSLVERSION_DEFAULT:
- h->protocol = SSL_VERSION_CURRENT;
+ h->protocol = TLSV1_SSLV3;
break;
case CURL_SSLVERSION_TLSv1:
diff --git a/lib/ssluse.c b/lib/ssluse.c
index e8a2e03c9..1e9b48a49 100644
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@@ -1324,6 +1324,10 @@ ossl_connect_step1(struct connectdata *conn,
*/
SSL_CTX_set_options(connssl->ctx, SSL_OP_ALL);
+ /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */
+ if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT)
+ SSL_CTX_set_options(connssl->ctx, SSL_OP_NO_SSLv2);
+
#if 0
/*
* Not sure it's needed to tell SSL_connect() that socket is