From 4bb74005298bb0c517360582b90efafd540bf8f1 Mon Sep 17 00:00:00 2001 From: Barry Abrahamson Date: Wed, 1 Jan 2014 23:50:45 +0100 Subject: OpenSSL: Fix forcing SSLv3 connections MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Some feedback provided by byte_bucket on IRC pointed out that commit db11750cfa5b1 wasn’t really correct because it allows for “upgrading” to a newer protocol when it should be only allowing for SSLv3. This change fixes that. When SSLv3 connection is forced, don't allow SSL negotiations for newer versions. Feedback provided by byte_bucket in #curl. This behavior is also consistent with the other force flags like --tlsv1.1 which doesn't allow for TLSv1.2 negotiation, etc Feedback-by: byte_bucket Bug: http://curl.haxx.se/bug/view.cgi?id=1319 --- lib/vtls/openssl.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'lib/vtls/openssl.c') diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index bc22bb888..b3ab99208 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -1551,7 +1551,6 @@ ossl_connect_step1(struct connectdata *conn, switch(data->set.ssl.version) { case CURL_SSLVERSION_DEFAULT: - case CURL_SSLVERSION_SSLv3: ctx_options |= SSL_OP_NO_SSLv2; #ifdef USE_TLS_SRP if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) { @@ -1561,6 +1560,15 @@ ossl_connect_step1(struct connectdata *conn, #endif break; + case CURL_SSLVERSION_SSLv3: + ctx_options |= SSL_OP_NO_SSLv2; + ctx_options |= SSL_OP_NO_TLSv1; +#if OPENSSL_VERSION_NUMBER >= 0x1000100FL + ctx_options |= SSL_OP_NO_TLSv1_1; + ctx_options |= SSL_OP_NO_TLSv1_2; +#endif + break; + case CURL_SSLVERSION_TLSv1: ctx_options |= SSL_OP_NO_SSLv2; ctx_options |= SSL_OP_NO_SSLv3; -- cgit v1.2.3