diff options
| -rw-r--r-- | docs/libcurl/opts/CURLOPT_SSLVERSION.3 | 4 | ||||
| -rw-r--r-- | lib/vtls/curl_darwinssl.c | 29 | ||||
| -rw-r--r-- | lib/vtls/curl_schannel.c | 8 | ||||
| -rw-r--r-- | lib/vtls/cyassl.c | 6 | ||||
| -rw-r--r-- | lib/vtls/nss.c | 9 | ||||
| -rw-r--r-- | lib/vtls/openssl.c | 16 |
6 files changed, 17 insertions, 55 deletions
diff --git a/docs/libcurl/opts/CURLOPT_SSLVERSION.3 b/docs/libcurl/opts/CURLOPT_SSLVERSION.3 index 9b558f495..a10dabd90 100644 --- a/docs/libcurl/opts/CURLOPT_SSLVERSION.3 +++ b/docs/libcurl/opts/CURLOPT_SSLVERSION.3 @@ -35,7 +35,7 @@ Use one of the available defines for this purpose. The available options are: .RS .IP CURL_SSLVERSION_DEFAULT The default action. This will attempt to figure out the remote SSL protocol -version, i.e. either SSLv3 or TLSv1 +version. .IP CURL_SSLVERSION_TLSv1 TLSv1.x .IP CURL_SSLVERSION_SSLv2 @@ -69,6 +69,8 @@ if(curl) { .SH AVAILABILITY SSLv2 is disabled by default since 7.18.1. Other SSL versions availability may vary depending on which backend libcurl has been built to use. + +SSLv3 is disabled by default since 7.39.0. .SH RETURN VALUE Returns CURLE_OK if the option is supported, and CURLE_UNKNOWN_OPTION if not. .SH "SEE ALSO" diff --git a/lib/vtls/curl_darwinssl.c b/lib/vtls/curl_darwinssl.c index f229c6fe2..99b5af752 100644 --- a/lib/vtls/curl_darwinssl.c +++ b/lib/vtls/curl_darwinssl.c @@ -1057,10 +1057,8 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, #if CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS if(SSLSetProtocolVersionMax != NULL) { switch(data->set.ssl.version) { - case CURL_SSLVERSION_DEFAULT: default: - (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kSSLProtocol3); - (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol12); - break; + default: + case CURL_SSLVERSION_DEFAULT: case CURL_SSLVERSION_TLSv1: (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol1); (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol12); @@ -1096,20 +1094,8 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, kSSLProtocolAll, false); switch (data->set.ssl.version) { - case CURL_SSLVERSION_DEFAULT: default: - (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, - kSSLProtocol3, - true); - (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, - kTLSProtocol1, - true); - (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, - kTLSProtocol11, - true); - (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, - kTLSProtocol12, - true); - break; + default: + case CURL_SSLVERSION_DEFAULT: case CURL_SSLVERSION_TLSv1: (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, kTLSProtocol1, @@ -1158,13 +1144,6 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, switch(data->set.ssl.version) { default: case CURL_SSLVERSION_DEFAULT: - (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, - kSSLProtocol3, - true); - (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, - kTLSProtocol1, - true); - break; case CURL_SSLVERSION_TLSv1: case CURL_SSLVERSION_TLSv1_0: (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, diff --git a/lib/vtls/curl_schannel.c b/lib/vtls/curl_schannel.c index 925df37a0..3a740bd28 100644 --- a/lib/vtls/curl_schannel.c +++ b/lib/vtls/curl_schannel.c @@ -164,6 +164,8 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) } switch(data->set.ssl.version) { + default: + case CURL_SSLVERSION_DEFAULT: case CURL_SSLVERSION_TLSv1: schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_0_CLIENT | SP_PROT_TLS1_1_CLIENT | @@ -184,12 +186,6 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) case CURL_SSLVERSION_SSLv2: schannel_cred.grbitEnabledProtocols = SP_PROT_SSL2_CLIENT; break; - default: - schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_0_CLIENT | - SP_PROT_TLS1_1_CLIENT | - SP_PROT_TLS1_2_CLIENT | - SP_PROT_SSL3_CLIENT; - break; } /* allocate memory for the re-usable credential handle */ diff --git a/lib/vtls/cyassl.c b/lib/vtls/cyassl.c index 9b5c7c61c..15fc92926 100644 --- a/lib/vtls/cyassl.c +++ b/lib/vtls/cyassl.c @@ -99,10 +99,8 @@ cyassl_connect_step1(struct connectdata *conn, /* check to see if we've been told to use an explicit SSL/TLS version */ switch(data->set.ssl.version) { + default: case CURL_SSLVERSION_DEFAULT: - /* we try to figure out version */ - req_method = SSLv23_client_method(); - break; case CURL_SSLVERSION_TLSv1: infof(data, "CyaSSL cannot be configured to use TLS 1.0-1.2, " "TLS 1.0 is used exclusively\n"); @@ -120,8 +118,6 @@ cyassl_connect_step1(struct connectdata *conn, case CURL_SSLVERSION_SSLv3: req_method = SSLv3_client_method(); break; - default: - req_method = TLSv1_client_method(); } if(!req_method) { diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c index ebf7fb2fa..d7dd98055 100644 --- a/lib/vtls/nss.c +++ b/lib/vtls/nss.c @@ -1345,15 +1345,8 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver, switch (data->set.ssl.version) { default: case CURL_SSLVERSION_DEFAULT: - sslver->min = SSL_LIBRARY_VERSION_3_0; - if(data->state.ssl_connect_retry) { - infof(data, "TLS disabled due to previous handshake failure\n"); - sslver->max = SSL_LIBRARY_VERSION_3_0; - return CURLE_OK; - } - /* intentional fall-through to default to highest TLS version if possible */ - case CURL_SSLVERSION_TLSv1: + sslver->min = SSL_LIBRARY_VERSION_TLS_1_0; #ifdef SSL_LIBRARY_VERSION_TLS_1_2 sslver->max = SSL_LIBRARY_VERSION_TLS_1_2; #elif defined SSL_LIBRARY_VERSION_TLS_1_1 diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 29cc78cad..f42ebd896 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -1649,16 +1649,6 @@ ossl_connect_step1(struct connectdata *conn, #endif switch(data->set.ssl.version) { - case CURL_SSLVERSION_DEFAULT: - ctx_options |= SSL_OP_NO_SSLv2; -#ifdef USE_TLS_SRP - if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) { - infof(data, "Set version TLSv1.x for SRP authorisation\n"); - ctx_options |= SSL_OP_NO_SSLv3; - } -#endif - break; - case CURL_SSLVERSION_SSLv3: ctx_options |= SSL_OP_NO_SSLv2; ctx_options |= SSL_OP_NO_TLSv1; @@ -1668,6 +1658,12 @@ ossl_connect_step1(struct connectdata *conn, #endif break; + case CURL_SSLVERSION_DEFAULT: +#ifdef USE_TLS_SRP + if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) { + infof(data, "Set version TLSv1.x for SRP authorisation\n"); + } +#endif case CURL_SSLVERSION_TLSv1: ctx_options |= SSL_OP_NO_SSLv2; ctx_options |= SSL_OP_NO_SSLv3; |