From e35f2e61ecf18153c9a0b152c1f1a8b3d9475cf3 Mon Sep 17 00:00:00 2001 From: Jay Satiro Date: Wed, 25 Mar 2015 02:40:00 -0400 Subject: cyassl: default to highest possible TLS version (cyassl_connect_step1) - Use TLS 1.0-1.2 by default when available. CyaSSL/wolfSSL >= v3.3.0 supports setting a minimum protocol downgrade version. cyassl/cyassl@322f79f --- lib/vtls/cyassl.c | 35 +++++++++++++++++++++++++++-------- 1 file changed, 27 insertions(+), 8 deletions(-) (limited to 'lib') diff --git a/lib/vtls/cyassl.c b/lib/vtls/cyassl.c index 72e1792df..5ba279e5b 100644 --- a/lib/vtls/cyassl.c +++ b/lib/vtls/cyassl.c @@ -90,20 +90,18 @@ cyassl_connect_step1(struct connectdata *conn, if(conssl->state == ssl_connection_complete) return CURLE_OK; - /* CyaSSL doesn't support SSLv2 */ - if(data->set.ssl.version == CURL_SSLVERSION_SSLv2) { - failf(data, "CyaSSL does not support SSLv2"); - return CURLE_SSL_CONNECT_ERROR; - } - /* check to see if we've been told to use an explicit SSL/TLS version */ switch(data->set.ssl.version) { - default: case CURL_SSLVERSION_DEFAULT: case CURL_SSLVERSION_TLSv1: - infof(data, "CyaSSL cannot be configured to use TLS 1.0-1.2, " +#if LIBCYASSL_VERSION_HEX >= 0x03003000 /* 3.3.0 */ + /* the minimum version is set later after the SSL object is created */ + req_method = SSLv23_client_method(); +#else + infof(data, "CyaSSL <3.3.0 cannot be configured to use TLS 1.0-1.2, " "TLS 1.0 is used exclusively\n"); req_method = TLSv1_client_method(); +#endif break; case CURL_SSLVERSION_TLSv1_0: req_method = TLSv1_client_method(); @@ -117,6 +115,12 @@ cyassl_connect_step1(struct connectdata *conn, case CURL_SSLVERSION_SSLv3: req_method = SSLv3_client_method(); break; + case CURL_SSLVERSION_SSLv2: + failf(data, "CyaSSL does not support SSLv2"); + return CURLE_SSL_CONNECT_ERROR; + default: + failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION"); + return CURLE_SSL_CONNECT_ERROR; } if(!req_method) { @@ -210,6 +214,21 @@ cyassl_connect_step1(struct connectdata *conn, return CURLE_OUT_OF_MEMORY; } + switch(data->set.ssl.version) { + case CURL_SSLVERSION_DEFAULT: + case CURL_SSLVERSION_TLSv1: +#if LIBCYASSL_VERSION_HEX >= 0x03003000 /* >= 3.3.0 */ + /* short circuit evaluation to find minimum supported TLS version */ + if((CyaSSL_SetMinVersion(conssl->handle, CYASSL_TLSV1) != SSL_SUCCESS) && + (CyaSSL_SetMinVersion(conssl->handle, CYASSL_TLSV1_1) != SSL_SUCCESS) && + (CyaSSL_SetMinVersion(conssl->handle, CYASSL_TLSV1_2) != SSL_SUCCESS)) { + failf(data, "SSL: couldn't set the minimum protocol version"); + return CURLE_SSL_CONNECT_ERROR; + } +#endif + break; + } + /* Check if there's a cached ID we can/should use here! */ if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL)) { /* we got a session id, use it! */ -- cgit v1.2.3