diff options
-rw-r--r-- | docs/libcurl/opts/CURLOPT_PROXY_SSLVERSION.3 | 12 | ||||
-rw-r--r-- | docs/libcurl/opts/CURLOPT_SSLVERSION.3 | 14 | ||||
-rw-r--r-- | lib/setopt.c | 42 |
3 files changed, 39 insertions, 29 deletions
diff --git a/docs/libcurl/opts/CURLOPT_PROXY_SSLVERSION.3 b/docs/libcurl/opts/CURLOPT_PROXY_SSLVERSION.3 index 6b9ff7dee..73c2c9766 100644 --- a/docs/libcurl/opts/CURLOPT_PROXY_SSLVERSION.3 +++ b/docs/libcurl/opts/CURLOPT_PROXY_SSLVERSION.3 @@ -46,10 +46,15 @@ TLSv1.1 TLSv1.2 .IP CURL_SSLVERSION_TLSv1_3 TLSv1.3 +.RE +The maximum TLS version can be set by using \fIone\fP of the +CURL_SSLVERSION_MAX_ macros below. It is also possible to OR \fIone\fP of the +CURL_SSLVERSION_ macros with \fIone\fP of the CURL_SSLVERSION_MAX_ macros. +The MAX macros are not supported for SSL backends axTLS or wolfSSL. +.RS .IP CURL_SSLVERSION_MAX_DEFAULT The flag defines the maximum supported TLS version as TLSv1.2, or the default -value from the SSL library. Only the NSS library currently allows one to get -the maximum supported TLS version. +value from the SSL library. (Added in 7.54.0) .IP CURL_SSLVERSION_MAX_TLSv1_0 The flag defines maximum supported TLS version as TLSv1.0. @@ -75,8 +80,7 @@ if(curl) { curl_easy_setopt(curl, CURLOPT_URL, "https://example.com"); /* ask libcurl to use TLS version 1.0 or later */ - curl_easy_setopt(curl, CURLOPT_PROXY_SSLVERSION, CURL_SSLVERSION_TLSv1_1 | - CURL_SSLVERSION_MAX_DEFAULT); + curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1); /* Perform the request */ curl_easy_perform(curl); diff --git a/docs/libcurl/opts/CURLOPT_SSLVERSION.3 b/docs/libcurl/opts/CURLOPT_SSLVERSION.3 index 5c447d8f3..807057be5 100644 --- a/docs/libcurl/opts/CURLOPT_SSLVERSION.3 +++ b/docs/libcurl/opts/CURLOPT_SSLVERSION.3 @@ -50,10 +50,15 @@ TLSv1.1 (Added in 7.34.0) TLSv1.2 (Added in 7.34.0) .IP CURL_SSLVERSION_TLSv1_3 TLSv1.3 (Added in 7.52.0) +.RE +The maximum TLS version can be set by using \fIone\fP of the +CURL_SSLVERSION_MAX_ macros below. It is also possible to OR \fIone\fP of the +CURL_SSLVERSION_ macros with \fIone\fP of the CURL_SSLVERSION_MAX_ macros. +The MAX macros are not supported for SSL backends axTLS or wolfSSL. +.RS .IP CURL_SSLVERSION_MAX_DEFAULT The flag defines the maximum supported TLS version as TLSv1.2, or the default -value from the SSL library. Only the NSS library currently allows one to get -the maximum supported TLS version. +value from the SSL library. (Added in 7.54.0) .IP CURL_SSLVERSION_MAX_TLSv1_0 The flag defines maximum supported TLS version as TLSv1.0. @@ -78,9 +83,8 @@ CURL *curl = curl_easy_init(); if(curl) { curl_easy_setopt(curl, CURLOPT_URL, "https://example.com"); - /* ask libcurl to use TLS version 1.1 or later */ - curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_1 | - CURL_SSLVERSION_MAX_DEFAULT); + /* ask libcurl to use TLS version 1.0 or later */ + curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1); /* Perform the request */ curl_easy_perform(curl); diff --git a/lib/setopt.c b/lib/setopt.c index 60f3ae5a6..66f30ea65 100644 --- a/lib/setopt.c +++ b/lib/setopt.c @@ -360,32 +360,34 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, */ data->set.timevalue = (time_t)va_arg(param, long); break; + case CURLOPT_SSLVERSION: - /* - * Set explicit SSL version to try to connect with, as some SSL - * implementations are lame. - */ -#ifdef USE_SSL - arg = va_arg(param, long); - if((arg < CURL_SSLVERSION_DEFAULT) || (arg > CURL_SSLVERSION_TLSv1_3)) - return CURLE_BAD_FUNCTION_ARGUMENT; - data->set.ssl.primary.version = C_SSLVERSION_VALUE(arg); - data->set.ssl.primary.version_max = C_SSLVERSION_MAX_VALUE(arg); -#else - result = CURLE_UNKNOWN_OPTION; -#endif - break; case CURLOPT_PROXY_SSLVERSION: /* - * Set explicit SSL version to try to connect with for proxy, as some SSL + * Set explicit SSL version to try to connect with, as some SSL * implementations are lame. */ #ifdef USE_SSL - arg = va_arg(param, long); - if((arg < CURL_SSLVERSION_DEFAULT) || (arg > CURL_SSLVERSION_TLSv1_3)) - return CURLE_BAD_FUNCTION_ARGUMENT; - data->set.proxy_ssl.primary.version = C_SSLVERSION_VALUE(arg); - data->set.proxy_ssl.primary.version_max = C_SSLVERSION_MAX_VALUE(arg); + { + long version, version_max; + struct ssl_primary_config *primary = (option == CURLOPT_SSLVERSION ? + &data->set.ssl.primary : + &data->set.proxy_ssl.primary); + + arg = va_arg(param, long); + + version = C_SSLVERSION_VALUE(arg); + version_max = C_SSLVERSION_MAX_VALUE(arg); + + if(version < CURL_SSLVERSION_DEFAULT || + version >= CURL_SSLVERSION_LAST || + version_max < CURL_SSLVERSION_MAX_NONE || + version_max >= CURL_SSLVERSION_MAX_LAST) + return CURLE_BAD_FUNCTION_ARGUMENT; + + primary->version = version; + primary->version_max = version_max; + } #else result = CURLE_UNKNOWN_OPTION; #endif |