summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPaul Howarth <paul@city-fan.org>2018-12-03 11:42:48 +0000
committerDaniel Stenberg <daniel@haxx.se>2018-12-05 15:24:32 +0100
commit6848ea585b34d7f1d3f73c1d6749321fc5843fbe (patch)
tree1782fa0bf13cb2c4ef24ca0517fcb244bc779aae
parentf7bdf4b2e1d81b2652b81b9b3029927589273b41 (diff)
downloadcurl-6848ea585b34d7f1d3f73c1d6749321fc5843fbe.tar.gz
nss: Fall back to latest supported SSL version
NSS may be built without support for the latest SSL/TLS versions, leading to "SSL version range is not valid" errors when the library code supports a recent version (e.g. TLS v1.3) but it has explicitly been disabled. This change adjusts the maximum SSL version requested by libcurl to be the maximum supported version at runtime, as long as that version is at least as high as the minimum version required by libcurl. Fixes #3261
-rw-r--r--lib/vtls/nss.c9
1 files changed, 9 insertions, 0 deletions
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index ef200514f..946c69717 100644
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -1776,6 +1776,7 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
CURLcode result;
bool second_layer = FALSE;
+ SSLVersionRange sslver_supported;
SSLVersionRange sslver = {
SSL_LIBRARY_VERSION_TLS_1_0, /* min */
@@ -1832,6 +1833,14 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
/* enable/disable the requested SSL version(s) */
if(nss_init_sslver(&sslver, data, conn) != CURLE_OK)
goto error;
+ if(SSL_VersionRangeGetSupported(ssl_variant_stream,
+ &sslver_supported) != SECSuccess)
+ goto error;
+ if(sslver_supported.max < sslver.max && sslver_supported.max >= sslver.min) {
+ infof(data, "Falling back (from %d) to max supported SSL version (%d)\n",
+ sslver.max, sslver_supported.max);
+ sslver.max = sslver_supported.max;
+ }
if(SSL_VersionRangeSet(model, &sslver) != SECSuccess)
goto error;