From 81bdd85318da503df9320fb04267da12a8ec9e5f Mon Sep 17 00:00:00 2001
From: Jay Satiro <raysatiro@yahoo.com>
Date: Sat, 5 Mar 2016 21:35:16 -0500
Subject: mbedtls: fix user-specified SSL protocol version

Prior to this change when a single protocol CURL_SSLVERSION_ was
specified by the user that version was set only as the minimum version
but not as the maximum version as well.
---
 lib/vtls/mbedtls.c | 25 +++++++++++++++++++++----
 1 file changed, 21 insertions(+), 4 deletions(-)

diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
index 0cfa9cce1..7e0760316 100644
--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@@ -325,26 +325,43 @@ mbedtls_connect_step1(struct connectdata *conn,
                                  &mbedtls_x509_crt_profile_fr);
 
   switch(data->set.ssl.version) {
+  case CURL_SSLVERSION_DEFAULT:
+  case CURL_SSLVERSION_TLSv1:
+    mbedtls_ssl_conf_min_version(&connssl->config, MBEDTLS_SSL_MAJOR_VERSION_3,
+                                 MBEDTLS_SSL_MINOR_VERSION_1);
+    infof(data, "mbedTLS: Set min SSL version to TLS 1.0\n");
+    break;
   case CURL_SSLVERSION_SSLv3:
     mbedtls_ssl_conf_min_version(&connssl->config, MBEDTLS_SSL_MAJOR_VERSION_3,
                                  MBEDTLS_SSL_MINOR_VERSION_0);
-    infof(data, "mbedTLS: Forced min. SSL Version to be SSLv3\n");
+    mbedtls_ssl_conf_max_version(&connssl->config, MBEDTLS_SSL_MAJOR_VERSION_3,
+                                 MBEDTLS_SSL_MINOR_VERSION_0);
+    infof(data, "mbedTLS: Set SSL version to SSLv3\n");
     break;
   case CURL_SSLVERSION_TLSv1_0:
     mbedtls_ssl_conf_min_version(&connssl->config, MBEDTLS_SSL_MAJOR_VERSION_3,
                                  MBEDTLS_SSL_MINOR_VERSION_1);
-    infof(data, "mbedTLS: Forced min. SSL Version to be TLS 1.0\n");
+    mbedtls_ssl_conf_max_version(&connssl->config, MBEDTLS_SSL_MAJOR_VERSION_3,
+                                 MBEDTLS_SSL_MINOR_VERSION_1);
+    infof(data, "mbedTLS: Set SSL version to TLS 1.0\n");
     break;
   case CURL_SSLVERSION_TLSv1_1:
     mbedtls_ssl_conf_min_version(&connssl->config, MBEDTLS_SSL_MAJOR_VERSION_3,
                                  MBEDTLS_SSL_MINOR_VERSION_2);
-    infof(data, "mbedTLS: Forced min. SSL Version to be TLS 1.1\n");
+    mbedtls_ssl_conf_max_version(&connssl->config, MBEDTLS_SSL_MAJOR_VERSION_3,
+                                 MBEDTLS_SSL_MINOR_VERSION_2);
+    infof(data, "mbedTLS: Set SSL version to TLS 1.1\n");
     break;
   case CURL_SSLVERSION_TLSv1_2:
     mbedtls_ssl_conf_min_version(&connssl->config, MBEDTLS_SSL_MAJOR_VERSION_3,
                                  MBEDTLS_SSL_MINOR_VERSION_3);
-    infof(data, "mbedTLS: Forced min. SSL Version to be TLS 1.2\n");
+    mbedtls_ssl_conf_max_version(&connssl->config, MBEDTLS_SSL_MAJOR_VERSION_3,
+                                 MBEDTLS_SSL_MINOR_VERSION_3);
+    infof(data, "mbedTLS: Set SSL version to TLS 1.2\n");
     break;
+  default:
+    failf(data, "mbedTLS: Unsupported SSL protocol version");
+    return CURLE_SSL_CONNECT_ERROR;
   }
 
   mbedtls_ssl_conf_authmode(&connssl->config, MBEDTLS_SSL_VERIFY_OPTIONAL);
-- 
cgit v1.2.3