diff options
| author | Jay Satiro <raysatiro@yahoo.com> | 2018-09-18 16:35:36 -0400 |
|---|---|---|
| committer | Jay Satiro <raysatiro@yahoo.com> | 2018-09-20 14:12:25 -0400 |
| commit | 2e5651a5ce0ee18d610cacfaa2b3ec5073a40c34 (patch) | |
| tree | 65f4bd915f2efa2c975f9aa78e32020fb6a64feb | |
| parent | ba782baac3009e44295589743bb8ae8220793e74 (diff) | |
| download | curl-2e5651a5ce0ee18d610cacfaa2b3ec5073a40c34.tar.gz | |
vtls: fix ssl version "or later" behavior change for many backends
- Treat CURL_SSLVERSION_MAX_NONE the same as
CURL_SSLVERSION_MAX_DEFAULT. Prior to this change NONE would mean use
the minimum version also as the maximum.
This is a follow-up to 6015cef which changed the behavior of setting
the SSL version so that the requested version would only be the minimum
and not the maximum. It appears it was (mostly) implemented in OpenSSL
but not other backends. In other words CURL_SSLVERSION_TLSv1_0 used to
mean use just TLS v1.0 and now it means use TLS v1.0 *or later*.
- Fix CURL_SSLVERSION_MAX_DEFAULT for OpenSSL.
Prior to this change CURL_SSLVERSION_MAX_DEFAULT with OpenSSL was
erroneously treated as always TLS 1.3, and would cause an error if
OpenSSL was built without TLS 1.3 support.
Co-authored-by: Daniel Gustafsson
Fixes https://github.com/curl/curl/issues/2969
Closes https://github.com/curl/curl/pull/3012
| -rw-r--r-- | lib/vtls/darwinssl.c | 2 | ||||
| -rw-r--r-- | lib/vtls/gskit.c | 2 | ||||
| -rw-r--r-- | lib/vtls/gtls.c | 4 | ||||
| -rw-r--r-- | lib/vtls/mbedtls.c | 3 | ||||
| -rw-r--r-- | lib/vtls/nss.c | 2 | ||||
| -rw-r--r-- | lib/vtls/openssl.c | 1 | ||||
| -rw-r--r-- | lib/vtls/polarssl.c | 3 | ||||
| -rw-r--r-- | lib/vtls/schannel.c | 2 |
8 files changed, 1 insertions, 18 deletions
diff --git a/lib/vtls/darwinssl.c b/lib/vtls/darwinssl.c index 3eee53a02..e8116b8a1 100644 --- a/lib/vtls/darwinssl.c +++ b/lib/vtls/darwinssl.c @@ -1304,8 +1304,6 @@ set_ssl_version_min_max(struct connectdata *conn, int sockindex) switch(ssl_version_max) { case CURL_SSLVERSION_MAX_NONE: - ssl_version_max = ssl_version << 16; - break; case CURL_SSLVERSION_MAX_DEFAULT: ssl_version_max = max_supported_version_by_os; break; diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c index a0b49601f..d6be159ab 100644 --- a/lib/vtls/gskit.c +++ b/lib/vtls/gskit.c @@ -766,8 +766,6 @@ set_ssl_version_min_max(unsigned int *protoflags, struct connectdata *conn) long i = ssl_version; switch(ssl_version_max) { case CURL_SSLVERSION_MAX_NONE: - ssl_version_max = ssl_version; - break; case CURL_SSLVERSION_MAX_DEFAULT: ssl_version_max = CURL_SSLVERSION_TLSv1_2; break; diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c index 207b0fd1b..93f5ed1db 100644 --- a/lib/vtls/gtls.c +++ b/lib/vtls/gtls.c @@ -390,8 +390,6 @@ set_ssl_version_min_max(int *list, size_t list_size, struct connectdata *conn) switch(ssl_version_max) { case CURL_SSLVERSION_MAX_NONE: - ssl_version_max = ssl_version << 16; - break; case CURL_SSLVERSION_MAX_DEFAULT: ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_2; break; @@ -435,7 +433,7 @@ set_ssl_version_min_max(const char **prioritylist, struct connectdata *conn) return CURLE_SSL_CONNECT_ERROR; } if(ssl_version_max == CURL_SSLVERSION_MAX_NONE) { - ssl_version_max = ssl_version << 16; + ssl_version_max = CURL_SSLVERSION_MAX_DEFAULT; } switch(ssl_version | ssl_version_max) { case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_0: diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c index d7759dc84..c5ed8872e 100644 --- a/lib/vtls/mbedtls.c +++ b/lib/vtls/mbedtls.c @@ -205,14 +205,11 @@ set_ssl_version_min_max(struct connectdata *conn, int sockindex) case CURL_SSLVERSION_DEFAULT: case CURL_SSLVERSION_TLSv1: ssl_version = CURL_SSLVERSION_TLSv1_0; - ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_2; break; } switch(ssl_version_max) { case CURL_SSLVERSION_MAX_NONE: - ssl_version_max = ssl_version << 16; - break; case CURL_SSLVERSION_MAX_DEFAULT: ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_2; break; diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c index 0c5a806f1..c945b453c 100644 --- a/lib/vtls/nss.c +++ b/lib/vtls/nss.c @@ -1715,8 +1715,6 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver, failf(data, "unsupported min version passed via CURLOPT_SSLVERSION"); return result; } - if(max == CURL_SSLVERSION_MAX_NONE) - sslver->max = sslver->min; } switch(max) { diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 083e63471..55226e4ba 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -2172,7 +2172,6 @@ set_ssl_version_min_max(long *ctx_options, struct connectdata *conn, #endif break; case CURL_SSLVERSION_MAX_TLSv1_3: - case CURL_SSLVERSION_MAX_DEFAULT: #ifdef TLS1_3_VERSION break; #else diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c index 604cb4c86..27af0ccf3 100644 --- a/lib/vtls/polarssl.c +++ b/lib/vtls/polarssl.c @@ -185,14 +185,11 @@ set_ssl_version_min_max(struct connectdata *conn, int sockindex) case CURL_SSLVERSION_DEFAULT: case CURL_SSLVERSION_TLSv1: ssl_version = CURL_SSLVERSION_TLSv1_0; - ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_2; break; } switch(ssl_version_max) { case CURL_SSLVERSION_MAX_NONE: - ssl_version_max = ssl_version << 16; - break; case CURL_SSLVERSION_MAX_DEFAULT: ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_2; break; diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c index f3ed98d59..e4426924b 100644 --- a/lib/vtls/schannel.c +++ b/lib/vtls/schannel.c @@ -180,8 +180,6 @@ set_ssl_version_min_max(SCHANNEL_CRED *schannel_cred, struct connectdata *conn) switch(ssl_version_max) { case CURL_SSLVERSION_MAX_NONE: - ssl_version_max = ssl_version << 16; - break; case CURL_SSLVERSION_MAX_DEFAULT: ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_2; break; |