aboutsummaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorJay Satiro <raysatiro@yahoo.com>2014-10-24 13:41:56 +0200
committerDaniel Stenberg <daniel@haxx.se>2014-10-24 13:41:56 +0200
commitec783dc142129d3860e542b443caaa78a6172d56 (patch)
tree7062b5f480575be59252816c9877823fbde143c9 /lib
parent2b042574917aeff4d366dec23a7d007913cbe755 (diff)
SSL: Remove SSLv3 from SSL default due to POODLE attack
- Remove SSLv3 from SSL default in darwinssl, schannel, cyassl, nss, openssl effectively making the default TLS 1.x. axTLS is not affected since it supports only TLS, and gnutls is not affected since it already defaults to TLS 1.x. - Update CURLOPT_SSLVERSION doc
Diffstat (limited to 'lib')
-rw-r--r--lib/vtls/curl_darwinssl.c29
-rw-r--r--lib/vtls/curl_schannel.c8
-rw-r--r--lib/vtls/cyassl.c6
-rw-r--r--lib/vtls/nss.c9
-rw-r--r--lib/vtls/openssl.c16
5 files changed, 14 insertions, 54 deletions
diff --git a/lib/vtls/curl_darwinssl.c b/lib/vtls/curl_darwinssl.c
index f229c6fe2..99b5af752 100644
--- a/lib/vtls/curl_darwinssl.c
+++ b/lib/vtls/curl_darwinssl.c
@@ -1057,10 +1057,8 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
#if CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS
if(SSLSetProtocolVersionMax != NULL) {
switch(data->set.ssl.version) {
- case CURL_SSLVERSION_DEFAULT: default:
- (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kSSLProtocol3);
- (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol12);
- break;
+ default:
+ case CURL_SSLVERSION_DEFAULT:
case CURL_SSLVERSION_TLSv1:
(void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol1);
(void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol12);
@@ -1096,20 +1094,8 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
kSSLProtocolAll,
false);
switch (data->set.ssl.version) {
- case CURL_SSLVERSION_DEFAULT: default:
- (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
- kSSLProtocol3,
- true);
- (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
- kTLSProtocol1,
- true);
- (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
- kTLSProtocol11,
- true);
- (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
- kTLSProtocol12,
- true);
- break;
+ default:
+ case CURL_SSLVERSION_DEFAULT:
case CURL_SSLVERSION_TLSv1:
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
kTLSProtocol1,
@@ -1158,13 +1144,6 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
switch(data->set.ssl.version) {
default:
case CURL_SSLVERSION_DEFAULT:
- (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
- kSSLProtocol3,
- true);
- (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
- kTLSProtocol1,
- true);
- break;
case CURL_SSLVERSION_TLSv1:
case CURL_SSLVERSION_TLSv1_0:
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
diff --git a/lib/vtls/curl_schannel.c b/lib/vtls/curl_schannel.c
index 925df37a0..3a740bd28 100644
--- a/lib/vtls/curl_schannel.c
+++ b/lib/vtls/curl_schannel.c
@@ -164,6 +164,8 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
}
switch(data->set.ssl.version) {
+ default:
+ case CURL_SSLVERSION_DEFAULT:
case CURL_SSLVERSION_TLSv1:
schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_0_CLIENT |
SP_PROT_TLS1_1_CLIENT |
@@ -184,12 +186,6 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
case CURL_SSLVERSION_SSLv2:
schannel_cred.grbitEnabledProtocols = SP_PROT_SSL2_CLIENT;
break;
- default:
- schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_0_CLIENT |
- SP_PROT_TLS1_1_CLIENT |
- SP_PROT_TLS1_2_CLIENT |
- SP_PROT_SSL3_CLIENT;
- break;
}
/* allocate memory for the re-usable credential handle */
diff --git a/lib/vtls/cyassl.c b/lib/vtls/cyassl.c
index 9b5c7c61c..15fc92926 100644
--- a/lib/vtls/cyassl.c
+++ b/lib/vtls/cyassl.c
@@ -99,10 +99,8 @@ cyassl_connect_step1(struct connectdata *conn,
/* check to see if we've been told to use an explicit SSL/TLS version */
switch(data->set.ssl.version) {
+ default:
case CURL_SSLVERSION_DEFAULT:
- /* we try to figure out version */
- req_method = SSLv23_client_method();
- break;
case CURL_SSLVERSION_TLSv1:
infof(data, "CyaSSL cannot be configured to use TLS 1.0-1.2, "
"TLS 1.0 is used exclusively\n");
@@ -120,8 +118,6 @@ cyassl_connect_step1(struct connectdata *conn,
case CURL_SSLVERSION_SSLv3:
req_method = SSLv3_client_method();
break;
- default:
- req_method = TLSv1_client_method();
}
if(!req_method) {
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index ebf7fb2fa..d7dd98055 100644
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -1345,15 +1345,8 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
switch (data->set.ssl.version) {
default:
case CURL_SSLVERSION_DEFAULT:
- sslver->min = SSL_LIBRARY_VERSION_3_0;
- if(data->state.ssl_connect_retry) {
- infof(data, "TLS disabled due to previous handshake failure\n");
- sslver->max = SSL_LIBRARY_VERSION_3_0;
- return CURLE_OK;
- }
- /* intentional fall-through to default to highest TLS version if possible */
-
case CURL_SSLVERSION_TLSv1:
+ sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
#ifdef SSL_LIBRARY_VERSION_TLS_1_2
sslver->max = SSL_LIBRARY_VERSION_TLS_1_2;
#elif defined SSL_LIBRARY_VERSION_TLS_1_1
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 29cc78cad..f42ebd896 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -1649,16 +1649,6 @@ ossl_connect_step1(struct connectdata *conn,
#endif
switch(data->set.ssl.version) {
- case CURL_SSLVERSION_DEFAULT:
- ctx_options |= SSL_OP_NO_SSLv2;
-#ifdef USE_TLS_SRP
- if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
- infof(data, "Set version TLSv1.x for SRP authorisation\n");
- ctx_options |= SSL_OP_NO_SSLv3;
- }
-#endif
- break;
-
case CURL_SSLVERSION_SSLv3:
ctx_options |= SSL_OP_NO_SSLv2;
ctx_options |= SSL_OP_NO_TLSv1;
@@ -1668,6 +1658,12 @@ ossl_connect_step1(struct connectdata *conn,
#endif
break;
+ case CURL_SSLVERSION_DEFAULT:
+#ifdef USE_TLS_SRP
+ if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
+ infof(data, "Set version TLSv1.x for SRP authorisation\n");
+ }
+#endif
case CURL_SSLVERSION_TLSv1:
ctx_options |= SSL_OP_NO_SSLv2;
ctx_options |= SSL_OP_NO_SSLv3;