diff options
| author | Kamil Dudka <kdudka@redhat.com> | 2016-10-27 14:57:11 +0200 |
|---|---|---|
| committer | Kamil Dudka <kdudka@redhat.com> | 2016-11-07 11:52:07 +0100 |
| commit | 6ad3add60654182a747f5971afb40817488ef0e8 (patch) | |
| tree | 7e45ea9851feb2bc253503c35967a46098f438b5 | |
| parent | 5d45ced7a45ea38e32f1cbf73d7c63a3e4f241e7 (diff) | |
| download | curl-6ad3add60654182a747f5971afb40817488ef0e8.tar.gz | |
vtls: support TLS 1.3 via CURL_SSLVERSION_TLSv1_3
Fully implemented with the NSS backend only for now.
Reviewed-by: Ray Satiro
| -rw-r--r-- | RELEASE-NOTES | 1 | ||||
| -rw-r--r-- | docs/libcurl/opts/CURLOPT_SSLVERSION.3 | 2 | ||||
| -rw-r--r-- | docs/libcurl/symbols-in-versions | 1 | ||||
| -rw-r--r-- | include/curl/curl.h | 1 | ||||
| -rw-r--r-- | lib/vtls/darwinssl.c | 9 | ||||
| -rw-r--r-- | lib/vtls/gskit.c | 3 | ||||
| -rw-r--r-- | lib/vtls/gtls.c | 6 | ||||
| -rw-r--r-- | lib/vtls/nss.c | 8 | ||||
| -rw-r--r-- | lib/vtls/polarssl.c | 3 | ||||
| -rw-r--r-- | lib/vtls/schannel.c | 3 | ||||
| -rw-r--r-- | packages/OS400/curl.inc.in | 2 |
11 files changed, 39 insertions, 0 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 9a4737820..0917c683a 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -9,6 +9,7 @@ Curl and libcurl 7.51.1 This release includes the following changes: o nss: map CURL_SSLVERSION_DEFAULT to NSS default + o vtls: support TLS 1.3 via CURL_SSLVERSION_TLSv1_3 o This release includes the following bugfixes: diff --git a/docs/libcurl/opts/CURLOPT_SSLVERSION.3 b/docs/libcurl/opts/CURLOPT_SSLVERSION.3 index 2f40e4631..1854af03c 100644 --- a/docs/libcurl/opts/CURLOPT_SSLVERSION.3 +++ b/docs/libcurl/opts/CURLOPT_SSLVERSION.3 @@ -48,6 +48,8 @@ TLSv1.0 (Added in 7.34.0) TLSv1.1 (Added in 7.34.0) .IP CURL_SSLVERSION_TLSv1_2 TLSv1.2 (Added in 7.34.0) +.IP CURL_SSLVERSION_TLSv1_3 +TLSv1.3 (Added in 7.51.1) .RE .SH DEFAULT CURL_SSLVERSION_DEFAULT diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions index f6365ae11..a77fde440 100644 --- a/docs/libcurl/symbols-in-versions +++ b/docs/libcurl/symbols-in-versions @@ -773,6 +773,7 @@ CURL_SSLVERSION_TLSv1 7.9.2 CURL_SSLVERSION_TLSv1_0 7.34.0 CURL_SSLVERSION_TLSv1_1 7.34.0 CURL_SSLVERSION_TLSv1_2 7.34.0 +CURL_SSLVERSION_TLSv1_3 7.51.1 CURL_TIMECOND_IFMODSINCE 7.9.7 CURL_TIMECOND_IFUNMODSINCE 7.9.7 CURL_TIMECOND_LASTMOD 7.9.7 diff --git a/include/curl/curl.h b/include/curl/curl.h index 9c09cb966..03fcfebc3 100644 --- a/include/curl/curl.h +++ b/include/curl/curl.h @@ -1805,6 +1805,7 @@ enum { CURL_SSLVERSION_TLSv1_0, CURL_SSLVERSION_TLSv1_1, CURL_SSLVERSION_TLSv1_2, + CURL_SSLVERSION_TLSv1_3, CURL_SSLVERSION_LAST /* never use, keep last */ }; diff --git a/lib/vtls/darwinssl.c b/lib/vtls/darwinssl.c index 66e74f1ba..6aa30d451 100644 --- a/lib/vtls/darwinssl.c +++ b/lib/vtls/darwinssl.c @@ -1071,6 +1071,9 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol12); (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol12); break; + case CURL_SSLVERSION_TLSv1_3: + failf(data, "TLSv1.3 is not yet supported with this TLS backend"); + return CURLE_SSL_CONNECT_ERROR; case CURL_SSLVERSION_SSLv3: err = SSLSetProtocolVersionMin(connssl->ssl_ctx, kSSLProtocol3); if(err != noErr) { @@ -1122,6 +1125,9 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, kTLSProtocol12, true); break; + case CURL_SSLVERSION_TLSv1_3: + failf(data, "TLSv1.3 is not yet supported with this TLS backend"); + return CURLE_SSL_CONNECT_ERROR; case CURL_SSLVERSION_SSLv3: err = SSLSetProtocolVersionEnabled(connssl->ssl_ctx, kSSLProtocol3, @@ -1160,6 +1166,9 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, case CURL_SSLVERSION_TLSv1_2: failf(data, "Your version of the OS does not support TLSv1.2"); return CURLE_SSL_CONNECT_ERROR; + case CURL_SSLVERSION_TLSv1_3: + failf(data, "Your version of the OS does not support TLSv1.3"); + return CURLE_SSL_CONNECT_ERROR; case CURL_SSLVERSION_SSLv2: err = SSLSetProtocolVersionEnabled(connssl->ssl_ctx, kSSLProtocol2, diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c index 3b0cfd5a0..9760c93ab 100644 --- a/lib/vtls/gskit.c +++ b/lib/vtls/gskit.c @@ -639,6 +639,9 @@ static CURLcode gskit_connect_step1(struct connectdata *conn, int sockindex) case CURL_SSLVERSION_TLSv1_2: protoflags = CURL_GSKPROTO_TLSV12_MASK; break; + case CURL_SSLVERSION_TLSv1_3: + failf(data, "TLS 1.3 not yet supported"); + return CURLE_SSL_CIPHER; } /* Process SNI. Ignore if not supported (on OS400 < V7R1). */ diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c index 5c87c7fe3..d47d80fc5 100644 --- a/lib/vtls/gtls.c +++ b/lib/vtls/gtls.c @@ -569,6 +569,9 @@ gtls_connect_step1(struct connectdata *conn, break; case CURL_SSLVERSION_TLSv1_2: protocol_priority[0] = GNUTLS_TLS1_2; + case CURL_SSLVERSION_TLSv1_3: + failf(data, "GnuTLS does not support TLSv1.3"); + return CURLE_SSL_CONNECT_ERROR; break; case CURL_SSLVERSION_SSLv2: default: @@ -607,6 +610,9 @@ gtls_connect_step1(struct connectdata *conn, prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:" "+VERS-TLS1.2:" GNUTLS_SRP; break; + case CURL_SSLVERSION_TLSv1_3: + failf(data, "GnuTLS does not support TLSv1.3"); + return CURLE_SSL_CONNECT_ERROR; case CURL_SSLVERSION_SSLv2: default: failf(data, "GnuTLS does not support SSLv2"); diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c index 5abb57427..5e5272727 100644 --- a/lib/vtls/nss.c +++ b/lib/vtls/nss.c @@ -1541,6 +1541,14 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver, #endif break; + case CURL_SSLVERSION_TLSv1_3: +#ifdef SSL_LIBRARY_VERSION_TLS_1_3 + sslver->min = SSL_LIBRARY_VERSION_TLS_1_3; + sslver->max = SSL_LIBRARY_VERSION_TLS_1_3; + return CURLE_OK; +#endif + break; + default: /* unsupported SSL/TLS version */ break; diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c index 18b564e02..4e41315b6 100644 --- a/lib/vtls/polarssl.c +++ b/lib/vtls/polarssl.c @@ -306,6 +306,9 @@ polarssl_connect_step1(struct connectdata *conn, SSL_MINOR_VERSION_3); infof(data, "PolarSSL: Forced min. SSL Version to be TLS 1.2\n"); break; + case CURL_SSLVERSION_TLSv1_3: + failf(data, "PolarSSL: TLS 1.3 is not yet supported"); + return CURLE_SSL_CONNECT_ERROR; } ssl_set_endpoint(&connssl->ssl, SSL_IS_CLIENT); diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c index f731eebdc..63cb98a3c 100644 --- a/lib/vtls/schannel.c +++ b/lib/vtls/schannel.c @@ -213,6 +213,9 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) case CURL_SSLVERSION_TLSv1_2: schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_2_CLIENT; break; + case CURL_SSLVERSION_TLSv1_3: + failf(data, "schannel: TLS 1.3 is not yet supported"); + return CURLE_SSL_CONNECT_ERROR; case CURL_SSLVERSION_SSLv3: schannel_cred.grbitEnabledProtocols = SP_PROT_SSL3_CLIENT; break; diff --git a/packages/OS400/curl.inc.in b/packages/OS400/curl.inc.in index 4176905a0..4028795ef 100644 --- a/packages/OS400/curl.inc.in +++ b/packages/OS400/curl.inc.in @@ -258,6 +258,8 @@ d c 5 d CURL_SSLVERSION_TLSv1_2... d c 6 + d CURL_SSLVERSION_TLSv1_3... + d c 7 * d CURL_TLSAUTH_NONE... d c 0 |