diff options
author | Daniel Stenberg <daniel@haxx.se> | 2018-12-02 23:33:38 +0100 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2018-12-02 23:33:38 +0100 |
commit | 61ce4822eda60fbc1c03081006a92f9da18c413d (patch) | |
tree | b6d62525168df6f2fb1b2527ce131206f8aeffa7 | |
parent | a79714b49aba7c5273ec13a3d9c73f9c03f795f2 (diff) | |
download | curl-bagder/nss-with-disabled-13.tar.gz |
nss: if built with disabled TLS 1.3, do an extra TLS version range checkbagder/nss-with-disabled-13
Reported-by: Paul Howarth
Fixes #3261
-rw-r--r-- | lib/vtls/nss.c | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c index ef200514f..6e533ea5d 100644 --- a/lib/vtls/nss.c +++ b/lib/vtls/nss.c @@ -1776,6 +1776,7 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) struct ssl_connect_data *connssl = &conn->ssl[sockindex]; CURLcode result; bool second_layer = FALSE; + int rc; SSLVersionRange sslver = { SSL_LIBRARY_VERSION_TLS_1_0, /* min */ @@ -1832,7 +1833,18 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) /* enable/disable the requested SSL version(s) */ if(nss_init_sslver(&sslver, data, conn) != CURLE_OK) goto error; - if(SSL_VersionRangeSet(model, &sslver) != SECSuccess) + + rc = SSL_VersionRangeSet(model, &sslver); +#ifdef SSL_LIBRARY_VERSION_TLS_1_3 + if((sslver.max == SSL_LIBRARY_VERSION_TLS_1_3) && + (sslver.min < SSL_LIBRARY_VERSION_TLS_1_3) && + (rc == SSL_ERROR_INVALID_VERSION_RANGE)) { + infof(data, "TLS 1.3 as max failed, trying with max set to TLS 1.2\n"); + sslver.max = SSL_LIBRARY_VERSION_TLS_1_2; + rc = SSL_VersionRangeSet(model, &sslver); + } +#endif + if(rc != SECSuccess) goto error; ssl_cbc_random_iv = !SSL_SET_OPTION(enable_beast); |