aboutsummaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
Diffstat (limited to 'lib')
-rw-r--r--lib/axtls.c3
-rw-r--r--lib/curl_darwinssl.c34
-rw-r--r--lib/curl_schannel.c9
-rw-r--r--lib/cyassl.c13
-rw-r--r--lib/gskit.c11
-rw-r--r--lib/nss.c6
-rw-r--r--lib/qssl.c6
-rw-r--r--lib/ssluse.c51
8 files changed, 116 insertions, 17 deletions
diff --git a/lib/axtls.c b/lib/axtls.c
index 44e6b9303..8c92588f7 100644
--- a/lib/axtls.c
+++ b/lib/axtls.c
@@ -164,7 +164,8 @@ static CURLcode connect_prep(struct connectdata *conn, int sockindex)
case CURL_SSLVERSION_TLSv1:
break;
default:
- failf(data, "axTLS only supports TLSv1");
+ failf(data, "axTLS only supports TLS 1.0 and 1.1, "
+ "and it cannot be specified which one to use");
return CURLE_SSL_CONNECT_ERROR;
}
diff --git a/lib/curl_darwinssl.c b/lib/curl_darwinssl.c
index fb404e9df..45a668bdd 100644
--- a/lib/curl_darwinssl.c
+++ b/lib/curl_darwinssl.c
@@ -1056,6 +1056,18 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
(void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol1);
(void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol12);
break;
+ case CURL_SSLVERSION_TLSv1_0:
+ (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol1);
+ (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol1);
+ break;
+ case CURL_SSLVERSION_TLSv1_1:
+ (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol11);
+ (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol11);
+ break;
+ case CURL_SSLVERSION_TLSv1_2:
+ (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol12);
+ (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol12);
+ break;
case CURL_SSLVERSION_SSLv3:
(void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kSSLProtocol3);
(void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kSSLProtocol3);
@@ -1100,6 +1112,21 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
kTLSProtocol12,
true);
break;
+ case CURL_SSLVERSION_TLSv1_0:
+ (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
+ kTLSProtocol1,
+ true);
+ break;
+ case CURL_SSLVERSION_TLSv1_1:
+ (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
+ kTLSProtocol11,
+ true);
+ break;
+ case CURL_SSLVERSION_TLSv1_2:
+ (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
+ kTLSProtocol12,
+ true);
+ break;
case CURL_SSLVERSION_SSLv3:
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
kSSLProtocol3,
@@ -1130,10 +1157,17 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
true);
break;
case CURL_SSLVERSION_TLSv1:
+ case CURL_SSLVERSION_TLSv1_0:
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
kTLSProtocol1,
true);
break;
+ case CURL_SSLVERSION_TLSv1_1:
+ failf(data, "Your version of the OS does not support TLSv1.1");
+ return CURLE_SSL_CONNECT_ERROR;
+ case CURL_SSLVERSION_TLSv1_2:
+ failf(data, "Your version of the OS does not support TLSv1.2");
+ return CURLE_SSL_CONNECT_ERROR;
case CURL_SSLVERSION_SSLv2:
err = SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
kSSLProtocol2,
diff --git a/lib/curl_schannel.c b/lib/curl_schannel.c
index 68139db58..9a1652782 100644
--- a/lib/curl_schannel.c
+++ b/lib/curl_schannel.c
@@ -180,6 +180,15 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
SP_PROT_TLS1_1_CLIENT |
SP_PROT_TLS1_2_CLIENT;
break;
+ case CURL_SSLVERSION_TLSv1_0:
+ schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_0_CLIENT;
+ break;
+ case CURL_SSLVERSION_TLSv1_1:
+ schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_1_CLIENT;
+ break;
+ case CURL_SSLVERSION_TLSv1_2:
+ schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_2_CLIENT;
+ break;
case CURL_SSLVERSION_SSLv3:
schannel_cred.grbitEnabledProtocols = SP_PROT_SSL3_CLIENT;
break;
diff --git a/lib/cyassl.c b/lib/cyassl.c
index 7c78464d8..ff11bdd1a 100644
--- a/lib/cyassl.c
+++ b/lib/cyassl.c
@@ -5,7 +5,7 @@
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
@@ -98,8 +98,19 @@ cyassl_connect_step1(struct connectdata *conn,
req_method = SSLv23_client_method();
break;
case CURL_SSLVERSION_TLSv1:
+ infof(data, "CyaSSL cannot be configured to use TLS 1.0-1.2, "
+ "TLS 1.0 is used exclusively\n");
req_method = TLSv1_client_method();
break;
+ case CURL_SSLVERSION_TLSv1_0:
+ req_method = TLSv1_client_method();
+ break;
+ case CURL_SSLVERSION_TLSv1_1:
+ req_method = TLSv1_1_client_method();
+ break;
+ case CURL_SSLVERSION_TLSv1_2:
+ req_method = TLSv1_2_client_method();
+ break;
case CURL_SSLVERSION_SSLv3:
req_method = SSLv3_client_method();
break;
diff --git a/lib/gskit.c b/lib/gskit.c
index 5cda85b9b..187c58d7a 100644
--- a/lib/gskit.c
+++ b/lib/gskit.c
@@ -503,8 +503,17 @@ static CURLcode gskit_connect_step1(struct connectdata * conn, int sockindex)
sni = (char *) NULL;
break;
case CURL_SSLVERSION_TLSv1:
+ case CURL_SSLVERSION_TLSv1_0:
tlsv1enable = true;
break;
+ case CURL_SSLVERSION_TLSv1_1:
+ failf(data, "GSKit doesn't support TLS 1.1!");
+ cc = CURLE_SSL_CONNECT_ERROR;
+ break;
+ case CURL_SSLVERSION_TLSv1_2:
+ failf(data, "GSKit doesn't support TLS 1.2!");
+ cc = CURLE_SSL_CONNECT_ERROR;
+ break;
default: /* CURL_SSLVERSION_DEFAULT. */
sslv3enable = true;
tlsv1enable = true;
@@ -555,7 +564,7 @@ static CURLcode gskit_connect_step1(struct connectdata * conn, int sockindex)
GSK_PROTOCOL_SSLV3_OFF);
if(cc == CURLE_OK)
cc = set_enum(data, connssl->handle, GSK_PROTOCOL_TLSV1,
- sslv3enable? GSK_PROTOCOL_TLSV1_ON:
+ tlsv1enable? GSK_PROTOCOL_TLSV1_ON:
GSK_PROTOCOL_TLSV1_OFF);
if(cc == CURLE_OK)
cc = set_enum(data, connssl->handle, GSK_SERVER_AUTH_TYPE,
diff --git a/lib/nss.c b/lib/nss.c
index 2d4bf9e9c..34dfbb1a7 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -1267,6 +1267,12 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
case CURL_SSLVERSION_SSLv3:
ssl3 = PR_TRUE;
break;
+ case CURL_SSLVERSION_TLSv1_0:
+ case CURL_SSLVERSION_TLSv1_1:
+ case CURL_SSLVERSION_TLSv1_2:
+ failf(data, "TLS minor version cannot be set\n");
+ curlerr = CURLE_SSL_CONNECT_ERROR;
+ goto error;
}
if(SSL_OptionSet(model, SSL_ENABLE_SSL2, ssl2) != SECSuccess)
diff --git a/lib/qssl.c b/lib/qssl.c
index b8a8daeca..42bf890fc 100644
--- a/lib/qssl.c
+++ b/lib/qssl.c
@@ -204,6 +204,12 @@ static CURLcode Curl_qsossl_handshake(struct connectdata * conn, int sockindex)
case CURL_SSLVERSION_SSLv3:
h->protocol = SSL_VERSION_3;
break;
+
+ case CURL_SSLVERSION_TLSv1_0:
+ case CURL_SSLVERSION_TLSv1_1:
+ case CURL_SSLVERSION_TLSv1_2:
+ failf(data, "TLS minor version cannot be set");
+ return CURLE_SSL_CONNECT_ERROR;
}
h->peerCert = NULL;
diff --git a/lib/ssluse.c b/lib/ssluse.c
index c747420f6..84fd73738 100644
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@@ -1431,19 +1431,12 @@ ossl_connect_step1(struct connectdata *conn,
switch(data->set.ssl.version) {
default:
case CURL_SSLVERSION_DEFAULT:
-#ifdef USE_TLS_SRP
- if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
- infof(data, "Set version TLSv1 for SRP authorisation\n");
- req_method = TLSv1_client_method() ;
- }
- else
-#endif
- /* we try to figure out version */
- req_method = SSLv23_client_method();
- use_sni(TRUE);
- break;
case CURL_SSLVERSION_TLSv1:
- req_method = TLSv1_client_method();
+ case CURL_SSLVERSION_TLSv1_0:
+ case CURL_SSLVERSION_TLSv1_1:
+ case CURL_SSLVERSION_TLSv1_2:
+ /* it will be handled later with the context options */
+ req_method = SSLv23_client_method();
use_sni(TRUE);
break;
case CURL_SSLVERSION_SSLv2:
@@ -1556,9 +1549,39 @@ ossl_connect_step1(struct connectdata *conn,
ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
#endif
- /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */
- if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT)
+ switch(data->set.ssl.version) {
+ case CURL_SSLVERSION_DEFAULT:
+ ctx_options |= SSL_OP_NO_SSLv2;
+#ifdef USE_TLS_SRP
+ if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
+ infof(data, "Set version TLSv1.x for SRP authorisation\n");
+ ctx_options |= SSL_OP_NO_SSLv3;
+ }
+#endif
+ break;
+ case CURL_SSLVERSION_TLSv1:
+ ctx_options |= SSL_OP_NO_SSLv2;
+ ctx_options |= SSL_OP_NO_SSLv3;
+ break;
+ case CURL_SSLVERSION_TLSv1_0:
ctx_options |= SSL_OP_NO_SSLv2;
+ ctx_options |= SSL_OP_NO_SSLv3;
+ ctx_options |= SSL_OP_NO_TLSv1_1;
+ ctx_options |= SSL_OP_NO_TLSv1_2;
+ break;
+ case CURL_SSLVERSION_TLSv1_1:
+ ctx_options |= SSL_OP_NO_SSLv2;
+ ctx_options |= SSL_OP_NO_SSLv3;
+ ctx_options |= SSL_OP_NO_TLSv1;
+ ctx_options |= SSL_OP_NO_TLSv1_2;
+ break;
+ case CURL_SSLVERSION_TLSv1_2:
+ ctx_options |= SSL_OP_NO_SSLv2;
+ ctx_options |= SSL_OP_NO_SSLv3;
+ ctx_options |= SSL_OP_NO_TLSv1;
+ ctx_options |= SSL_OP_NO_TLSv1_1;
+ break;
+ }
SSL_CTX_set_options(connssl->ctx, ctx_options);