From 5d45ced7a45ea38e32f1cbf73d7c63a3e4f241e7 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 27 Oct 2016 14:27:25 +0200 Subject: nss: map CURL_SSLVERSION_DEFAULT to NSS default ... but make sure we use at least TLSv1.0 according to libcurl API Reported-by: Cure53 Reviewed-by: Ray Satiro --- RELEASE-NOTES | 1 + lib/vtls/nss.c | 14 +++++++++++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/RELEASE-NOTES b/RELEASE-NOTES index d224476d5..9a4737820 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -8,6 +8,7 @@ Curl and libcurl 7.51.1 This release includes the following changes: + o nss: map CURL_SSLVERSION_DEFAULT to NSS default o This release includes the following bugfixes: diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c index dff15758f..5abb57427 100644 --- a/lib/vtls/nss.c +++ b/lib/vtls/nss.c @@ -1489,10 +1489,18 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver, struct Curl_easy *data) { switch(data->set.ssl.version) { - default: case CURL_SSLVERSION_DEFAULT: + /* map CURL_SSLVERSION_DEFAULT to NSS default */ + if(SSL_VersionRangeGetDefault(ssl_variant_stream, sslver) != SECSuccess) + return CURLE_SSL_CONNECT_ERROR; + /* ... but make sure we use at least TLSv1.0 according to libcurl API */ + if(sslver->min < SSL_LIBRARY_VERSION_TLS_1_0) + sslver->min = SSL_LIBRARY_VERSION_TLS_1_0; + return CURLE_OK; + case CURL_SSLVERSION_TLSv1: sslver->min = SSL_LIBRARY_VERSION_TLS_1_0; + /* TODO: set sslver->max to SSL_LIBRARY_VERSION_TLS_1_3 once stable */ #ifdef SSL_LIBRARY_VERSION_TLS_1_2 sslver->max = SSL_LIBRARY_VERSION_TLS_1_2; #elif defined SSL_LIBRARY_VERSION_TLS_1_1 @@ -1532,6 +1540,10 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver, return CURLE_OK; #endif break; + + default: + /* unsupported SSL/TLS version */ + break; } failf(data, "TLS minor version cannot be set"); -- cgit v1.2.3