8 files changed, 116 insertions, 17 deletions

diff --git a/lib/axtls.c b/lib/axtls.c
index 44e6b9303..8c92588f7 100644
--- a/lib/axtls.c
+++ b/lib/axtls.c
@@ -164,7 +164,8 @@ static CURLcode connect_prep(struct connectdata *conn, int sockindex)
   case CURL_SSLVERSION_TLSv1:
     break;
   default:
-    failf(data, "axTLS only supports TLSv1");
+    failf(data, "axTLS only supports TLS 1.0 and 1.1, "
+          "and it cannot be specified which one to use");
     return CURLE_SSL_CONNECT_ERROR;
   }
 
diff --git a/lib/curl_darwinssl.c b/lib/curl_darwinssl.c
index fb404e9df..45a668bdd 100644
--- a/lib/curl_darwinssl.c
+++ b/lib/curl_darwinssl.c
@@ -1056,6 +1056,18 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
         (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol1);
         (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol12);
         break;
+      case CURL_SSLVERSION_TLSv1_0:
+        (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol1);
+        (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol1);
+        break;
+      case CURL_SSLVERSION_TLSv1_1:
+        (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol11);
+        (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol11);
+        break;
+      case CURL_SSLVERSION_TLSv1_2:
+        (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol12);
+        (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol12);
+        break;
       case CURL_SSLVERSION_SSLv3:
         (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kSSLProtocol3);
         (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kSSLProtocol3);
@@ -1100,6 +1112,21 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
                                            kTLSProtocol12,
                                            true);
         break;
+      case CURL_SSLVERSION_TLSv1_0:
+        (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
+                                           kTLSProtocol1,
+                                           true);
+        break;
+      case CURL_SSLVERSION_TLSv1_1:
+        (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
+                                           kTLSProtocol11,
+                                           true);
+        break;
+      case CURL_SSLVERSION_TLSv1_2:
+        (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
+                                           kTLSProtocol12,
+                                           true);
+        break;
       case CURL_SSLVERSION_SSLv3:
         (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
                                            kSSLProtocol3,
@@ -1130,10 +1157,17 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
                                          true);
       break;
     case CURL_SSLVERSION_TLSv1:
+    case CURL_SSLVERSION_TLSv1_0:
       (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
                                          kTLSProtocol1,
                                          true);
       break;
+    case CURL_SSLVERSION_TLSv1_1:
+      failf(data, "Your version of the OS does not support TLSv1.1");
+      return CURLE_SSL_CONNECT_ERROR;
+    case CURL_SSLVERSION_TLSv1_2:
+      failf(data, "Your version of the OS does not support TLSv1.2");
+      return CURLE_SSL_CONNECT_ERROR;
     case CURL_SSLVERSION_SSLv2:
       err = SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
                                          kSSLProtocol2,
diff --git a/lib/curl_schannel.c b/lib/curl_schannel.c
index 68139db58..9a1652782 100644
--- a/lib/curl_schannel.c
+++ b/lib/curl_schannel.c
@@ -180,6 +180,15 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
                                               SP_PROT_TLS1_1_CLIENT |
                                               SP_PROT_TLS1_2_CLIENT;
         break;
+      case CURL_SSLVERSION_TLSv1_0:
+        schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_0_CLIENT;
+        break;
+      case CURL_SSLVERSION_TLSv1_1:
+        schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_1_CLIENT;
+        break;
+      case CURL_SSLVERSION_TLSv1_2:
+        schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_2_CLIENT;
+        break;
       case CURL_SSLVERSION_SSLv3:
         schannel_cred.grbitEnabledProtocols = SP_PROT_SSL3_CLIENT;
         break;
diff --git a/lib/cyassl.c b/lib/cyassl.c
index 7c78464d8..ff11bdd1a 100644
--- a/lib/cyassl.c
+++ b/lib/cyassl.c
@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -98,8 +98,19 @@ cyassl_connect_step1(struct connectdata *conn,
     req_method = SSLv23_client_method();
     break;
   case CURL_SSLVERSION_TLSv1:
+    infof(data, "CyaSSL cannot be configured to use TLS 1.0-1.2, "
+          "TLS 1.0 is used exclusively\n");
     req_method = TLSv1_client_method();
     break;
+  case CURL_SSLVERSION_TLSv1_0:
+    req_method = TLSv1_client_method();
+    break;
+  case CURL_SSLVERSION_TLSv1_1:
+    req_method = TLSv1_1_client_method();
+    break;
+  case CURL_SSLVERSION_TLSv1_2:
+    req_method = TLSv1_2_client_method();
+    break;
   case CURL_SSLVERSION_SSLv3:
     req_method = SSLv3_client_method();
     break;
diff --git a/lib/gskit.c b/lib/gskit.c
index 5cda85b9b..187c58d7a 100644
--- a/lib/gskit.c
+++ b/lib/gskit.c
@@ -503,8 +503,17 @@ static CURLcode gskit_connect_step1(struct connectdata * conn, int sockindex)
     sni = (char *) NULL;
     break;
   case CURL_SSLVERSION_TLSv1:
+  case CURL_SSLVERSION_TLSv1_0:
     tlsv1enable = true;
     break;
+  case CURL_SSLVERSION_TLSv1_1:
+    failf(data, "GSKit doesn't support TLS 1.1!");
+    cc = CURLE_SSL_CONNECT_ERROR;
+    break;
+  case CURL_SSLVERSION_TLSv1_2:
+    failf(data, "GSKit doesn't support TLS 1.2!");
+    cc = CURLE_SSL_CONNECT_ERROR;
+    break;
   default:              /* CURL_SSLVERSION_DEFAULT. */
     sslv3enable = true;
     tlsv1enable = true;
@@ -555,7 +564,7 @@ static CURLcode gskit_connect_step1(struct connectdata * conn, int sockindex)
                   GSK_PROTOCOL_SSLV3_OFF);
   if(cc == CURLE_OK)
     cc = set_enum(data, connssl->handle, GSK_PROTOCOL_TLSV1,
-                  sslv3enable?  GSK_PROTOCOL_TLSV1_ON:
+                  tlsv1enable?  GSK_PROTOCOL_TLSV1_ON:
                   GSK_PROTOCOL_TLSV1_OFF);
   if(cc == CURLE_OK)
     cc = set_enum(data, connssl->handle, GSK_SERVER_AUTH_TYPE,
diff --git a/lib/nss.c b/lib/nss.c
index 2d4bf9e9c..34dfbb1a7 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -1267,6 +1267,12 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
   case CURL_SSLVERSION_SSLv3:
     ssl3 = PR_TRUE;
     break;
+  case CURL_SSLVERSION_TLSv1_0:
+  case CURL_SSLVERSION_TLSv1_1:
+  case CURL_SSLVERSION_TLSv1_2:
+    failf(data, "TLS minor version cannot be set\n");
+    curlerr = CURLE_SSL_CONNECT_ERROR;
+    goto error;
   }
 
   if(SSL_OptionSet(model, SSL_ENABLE_SSL2, ssl2) != SECSuccess)
diff --git a/lib/qssl.c b/lib/qssl.c
index b8a8daeca..42bf890fc 100644
--- a/lib/qssl.c
+++ b/lib/qssl.c
@@ -204,6 +204,12 @@ static CURLcode Curl_qsossl_handshake(struct connectdata * conn, int sockindex)
   case CURL_SSLVERSION_SSLv3:
     h->protocol = SSL_VERSION_3;
     break;
+
+  case CURL_SSLVERSION_TLSv1_0:
+  case CURL_SSLVERSION_TLSv1_1:
+  case CURL_SSLVERSION_TLSv1_2:
+    failf(data, "TLS minor version cannot be set");
+    return CURLE_SSL_CONNECT_ERROR;
   }
 
   h->peerCert = NULL;
diff --git a/lib/ssluse.c b/lib/ssluse.c
index c747420f6..84fd73738 100644
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@@ -1431,19 +1431,12 @@ ossl_connect_step1(struct connectdata *conn,
   switch(data->set.ssl.version) {
   default:
   case CURL_SSLVERSION_DEFAULT:
-#ifdef USE_TLS_SRP
-    if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
-      infof(data, "Set version TLSv1 for SRP authorisation\n");
-      req_method = TLSv1_client_method() ;
-    }
-    else
-#endif
-    /* we try to figure out version */
-    req_method = SSLv23_client_method();
-    use_sni(TRUE);
-    break;
   case CURL_SSLVERSION_TLSv1:
-    req_method = TLSv1_client_method();
+  case CURL_SSLVERSION_TLSv1_0:
+  case CURL_SSLVERSION_TLSv1_1:
+  case CURL_SSLVERSION_TLSv1_2:
+    /* it will be handled later with the context options */
+    req_method = SSLv23_client_method();
     use_sni(TRUE);
     break;
   case CURL_SSLVERSION_SSLv2:
@@ -1556,9 +1549,39 @@ ossl_connect_step1(struct connectdata *conn,
     ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
 #endif
 
-  /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */
-  if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT)
+  switch(data->set.ssl.version) {
+  case CURL_SSLVERSION_DEFAULT:
+    ctx_options |= SSL_OP_NO_SSLv2;
+#ifdef USE_TLS_SRP
+    if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
+      infof(data, "Set version TLSv1.x for SRP authorisation\n");
+      ctx_options |= SSL_OP_NO_SSLv3;
+    }
+#endif
+    break;
+  case CURL_SSLVERSION_TLSv1:
+    ctx_options |= SSL_OP_NO_SSLv2;
+    ctx_options |= SSL_OP_NO_SSLv3;
+    break;
+  case CURL_SSLVERSION_TLSv1_0:
     ctx_options |= SSL_OP_NO_SSLv2;
+    ctx_options |= SSL_OP_NO_SSLv3;
+    ctx_options |= SSL_OP_NO_TLSv1_1;
+    ctx_options |= SSL_OP_NO_TLSv1_2;
+    break;
+  case CURL_SSLVERSION_TLSv1_1:
+    ctx_options |= SSL_OP_NO_SSLv2;
+    ctx_options |= SSL_OP_NO_SSLv3;
+    ctx_options |= SSL_OP_NO_TLSv1;
+    ctx_options |= SSL_OP_NO_TLSv1_2;
+    break;
+  case CURL_SSLVERSION_TLSv1_2:
+    ctx_options |= SSL_OP_NO_SSLv2;
+    ctx_options |= SSL_OP_NO_SSLv3;
+    ctx_options |= SSL_OP_NO_TLSv1;
+    ctx_options |= SSL_OP_NO_TLSv1_1;
+    break;
+  }
 
   SSL_CTX_set_options(connssl->ctx, ctx_options);