summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
Diffstat (limited to 'lib')
-rw-r--r--lib/setopt.c2
-rw-r--r--lib/vtls/mbedtls.c15
-rw-r--r--lib/vtls/nss.c3
-rw-r--r--lib/vtls/openssl.c64
-rw-r--r--lib/vtls/schannel.c6
-rw-r--r--lib/vtls/sectransp.c52
-rw-r--r--lib/vtls/wolfssl.c22
7 files changed, 20 insertions, 144 deletions
diff --git a/lib/setopt.c b/lib/setopt.c
index 5944482a8..53b30da35 100644
--- a/lib/setopt.c
+++ b/lib/setopt.c
@@ -426,6 +426,8 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
version_max = C_SSLVERSION_MAX_VALUE(arg);
if(version < CURL_SSLVERSION_DEFAULT ||
+ version == CURL_SSLVERSION_SSLv2 ||
+ version == CURL_SSLVERSION_SSLv3 ||
version >= CURL_SSLVERSION_LAST ||
version_max < CURL_SSLVERSION_MAX_NONE ||
version_max >= CURL_SSLVERSION_MAX_LAST)
diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
index 4b36f2d20..d4504a61f 100644
--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@@ -263,10 +263,10 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn,
char errorbuf[128];
errorbuf[0] = 0;
- /* mbedTLS only supports SSLv3 and TLSv1 */
- if(SSL_CONN_CONFIG(version) == CURL_SSLVERSION_SSLv2) {
- failf(data, "mbedTLS does not support SSLv2");
- return CURLE_SSL_CONNECT_ERROR;
+ if((SSL_CONN_CONFIG(version) == CURL_SSLVERSION_SSLv2) ||
+ (SSL_CONN_CONFIG(version) == CURL_SSLVERSION_SSLv3)) {
+ failf(data, "Not supported SSL version");
+ return CURLE_NOT_BUILT_IN;
}
#ifdef THREADING_SUPPORT
@@ -414,13 +414,6 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn,
MBEDTLS_SSL_MINOR_VERSION_1);
infof(data, "mbedTLS: Set min SSL version to TLS 1.0\n");
break;
- case CURL_SSLVERSION_SSLv3:
- mbedtls_ssl_conf_min_version(&backend->config, MBEDTLS_SSL_MAJOR_VERSION_3,
- MBEDTLS_SSL_MINOR_VERSION_0);
- mbedtls_ssl_conf_max_version(&backend->config, MBEDTLS_SSL_MAJOR_VERSION_3,
- MBEDTLS_SSL_MINOR_VERSION_0);
- infof(data, "mbedTLS: Set SSL version to SSLv3\n");
- break;
case CURL_SSLVERSION_TLSv1_0:
case CURL_SSLVERSION_TLSv1_1:
case CURL_SSLVERSION_TLSv1_2:
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index a9f6959e3..9be3979c0 100644
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -1699,8 +1699,7 @@ static CURLcode nss_sslver_from_curl(PRUint16 *nssver, long version)
return CURLE_OK;
case CURL_SSLVERSION_SSLv3:
- *nssver = SSL_LIBRARY_VERSION_3_0;
- return CURLE_OK;
+ return CURLE_NOT_BUILT_IN;
case CURL_SSLVERSION_TLSv1_0:
*nssver = SSL_LIBRARY_VERSION_TLS_1_0;
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 6583300b3..88380563f 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -122,12 +122,6 @@
#define HAVE_ERR_REMOVE_THREAD_STATE 1
#endif
-#if !defined(HAVE_SSLV2_CLIENT_METHOD) || \
- OPENSSL_VERSION_NUMBER >= 0x10100000L /* 1.1.0+ has no SSLv2 */
-#undef OPENSSL_NO_SSL2 /* undef first to avoid compiler warnings */
-#define OPENSSL_NO_SSL2
-#endif
-
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && /* OpenSSL 1.1.0+ */ \
!(defined(LIBRESSL_VERSION_NUMBER) && \
LIBRESSL_VERSION_NUMBER < 0x20700000L)
@@ -2581,31 +2575,11 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
use_sni(TRUE);
break;
case CURL_SSLVERSION_SSLv2:
-#ifdef OPENSSL_NO_SSL2
- failf(data, OSSL_PACKAGE " was built without SSLv2 support");
+ failf(data, "No SSLv2 support");
return CURLE_NOT_BUILT_IN;
-#else
-#ifdef USE_OPENSSL_SRP
- if(ssl_authtype == CURL_TLSAUTH_SRP)
- return CURLE_SSL_CONNECT_ERROR;
-#endif
- req_method = SSLv2_client_method();
- use_sni(FALSE);
- break;
-#endif
case CURL_SSLVERSION_SSLv3:
-#ifdef OPENSSL_NO_SSL3_METHOD
- failf(data, OSSL_PACKAGE " was built without SSLv3 support");
+ failf(data, "No SSLv3 support");
return CURLE_NOT_BUILT_IN;
-#else
-#ifdef USE_OPENSSL_SRP
- if(ssl_authtype == CURL_TLSAUTH_SRP)
- return CURLE_SSL_CONNECT_ERROR;
-#endif
- req_method = SSLv3_client_method();
- use_sni(FALSE);
- break;
-#endif
default:
failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
return CURLE_SSL_CONNECT_ERROR;
@@ -2693,41 +2667,9 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
#endif
switch(ssl_version) {
- /* "--sslv2" option means SSLv2 only, disable all others */
case CURL_SSLVERSION_SSLv2:
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L /* 1.1.0 */
- SSL_CTX_set_min_proto_version(backend->ctx, SSL2_VERSION);
- SSL_CTX_set_max_proto_version(backend->ctx, SSL2_VERSION);
-#else
- ctx_options |= SSL_OP_NO_SSLv3;
- ctx_options |= SSL_OP_NO_TLSv1;
-# if OPENSSL_VERSION_NUMBER >= 0x1000100FL
- ctx_options |= SSL_OP_NO_TLSv1_1;
- ctx_options |= SSL_OP_NO_TLSv1_2;
-# ifdef TLS1_3_VERSION
- ctx_options |= SSL_OP_NO_TLSv1_3;
-# endif
-# endif
-#endif
- break;
-
- /* "--sslv3" option means SSLv3 only, disable all others */
case CURL_SSLVERSION_SSLv3:
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L /* 1.1.0 */
- SSL_CTX_set_min_proto_version(backend->ctx, SSL3_VERSION);
- SSL_CTX_set_max_proto_version(backend->ctx, SSL3_VERSION);
-#else
- ctx_options |= SSL_OP_NO_SSLv2;
- ctx_options |= SSL_OP_NO_TLSv1;
-# if OPENSSL_VERSION_NUMBER >= 0x1000100FL
- ctx_options |= SSL_OP_NO_TLSv1_1;
- ctx_options |= SSL_OP_NO_TLSv1_2;
-# ifdef TLS1_3_VERSION
- ctx_options |= SSL_OP_NO_TLSv1_3;
-# endif
-# endif
-#endif
- break;
+ return CURLE_NOT_BUILT_IN;
/* "--tlsv<x.y>" options mean TLS >= version <x.y> */
case CURL_SSLVERSION_DEFAULT:
diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
index 961a71f6d..7043da3d6 100644
--- a/lib/vtls/schannel.c
+++ b/lib/vtls/schannel.c
@@ -572,11 +572,9 @@ schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn,
break;
}
case CURL_SSLVERSION_SSLv3:
- schannel_cred.grbitEnabledProtocols = SP_PROT_SSL3_CLIENT;
- break;
case CURL_SSLVERSION_SSLv2:
- schannel_cred.grbitEnabledProtocols = SP_PROT_SSL2_CLIENT;
- break;
+ failf(data, "SSL versions not supported");
+ return CURLE_NOT_BUILT_IN;
default:
failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
return CURLE_SSL_CONNECT_ERROR;
diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c
index 9d637da2e..e32fcb54f 100644
--- a/lib/vtls/sectransp.c
+++ b/lib/vtls/sectransp.c
@@ -1486,21 +1486,9 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
break;
}
case CURL_SSLVERSION_SSLv3:
- err = SSLSetProtocolVersionMin(backend->ssl_ctx, kSSLProtocol3);
- if(err != noErr) {
- failf(data, "Your version of the OS does not support SSLv3");
- return CURLE_SSL_CONNECT_ERROR;
- }
- (void)SSLSetProtocolVersionMax(backend->ssl_ctx, kSSLProtocol3);
- break;
case CURL_SSLVERSION_SSLv2:
- err = SSLSetProtocolVersionMin(backend->ssl_ctx, kSSLProtocol2);
- if(err != noErr) {
- failf(data, "Your version of the OS does not support SSLv2");
- return CURLE_SSL_CONNECT_ERROR;
- }
- (void)SSLSetProtocolVersionMax(backend->ssl_ctx, kSSLProtocol2);
- break;
+ failf(data, "SSL versions not supported");
+ return CURLE_NOT_BUILT_IN;
default:
failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
return CURLE_SSL_CONNECT_ERROR;
@@ -1535,23 +1523,9 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
break;
}
case CURL_SSLVERSION_SSLv3:
- err = SSLSetProtocolVersionEnabled(backend->ssl_ctx,
- kSSLProtocol3,
- true);
- if(err != noErr) {
- failf(data, "Your version of the OS does not support SSLv3");
- return CURLE_SSL_CONNECT_ERROR;
- }
- break;
case CURL_SSLVERSION_SSLv2:
- err = SSLSetProtocolVersionEnabled(backend->ssl_ctx,
- kSSLProtocol2,
- true);
- if(err != noErr) {
- failf(data, "Your version of the OS does not support SSLv2");
- return CURLE_SSL_CONNECT_ERROR;
- }
- break;
+ failf(data, "SSL versions not supported");
+ return CURLE_NOT_BUILT_IN;
default:
failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
return CURLE_SSL_CONNECT_ERROR;
@@ -1583,23 +1557,9 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
failf(data, "Your version of the OS does not support TLSv1.3");
return CURLE_SSL_CONNECT_ERROR;
case CURL_SSLVERSION_SSLv2:
- err = SSLSetProtocolVersionEnabled(backend->ssl_ctx,
- kSSLProtocol2,
- true);
- if(err != noErr) {
- failf(data, "Your version of the OS does not support SSLv2");
- return CURLE_SSL_CONNECT_ERROR;
- }
- break;
case CURL_SSLVERSION_SSLv3:
- err = SSLSetProtocolVersionEnabled(backend->ssl_ctx,
- kSSLProtocol3,
- true);
- if(err != noErr) {
- failf(data, "Your version of the OS does not support SSLv3");
- return CURLE_SSL_CONNECT_ERROR;
- }
- break;
+ failf(data, "SSL versions not supported");
+ return CURLE_NOT_BUILT_IN;
default:
failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
return CURLE_SSL_CONNECT_ERROR;
diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c
index c6f428034..21f36504f 100644
--- a/lib/vtls/wolfssl.c
+++ b/lib/vtls/wolfssl.c
@@ -47,16 +47,6 @@
#endif
#endif
-/* WOLFSSL_ALLOW_SSLV3 is wolfSSL's build time symbol for enabling SSLv3 in
- options.h, but is only seen in >= 3.6.6 since that's when they started
- disabling SSLv3 by default. */
-#ifndef WOLFSSL_ALLOW_SSLV3
-#if (LIBWOLFSSL_VERSION_HEX < 0x03006006) || \
- defined(HAVE_WOLFSSLV3_CLIENT_METHOD)
-#define WOLFSSL_ALLOW_SSLV3
-#endif
-#endif
-
#include <limits.h>
#include "urldata.h"
@@ -285,18 +275,10 @@ wolfssl_connect_step1(struct Curl_easy *data, struct connectdata *conn,
failf(data, "wolfSSL: TLS 1.3 is not yet supported");
return CURLE_SSL_CONNECT_ERROR;
#endif
+ case CURL_SSLVERSION_SSLv2:
case CURL_SSLVERSION_SSLv3:
-#ifdef WOLFSSL_ALLOW_SSLV3
- req_method = SSLv3_client_method();
- use_sni(FALSE);
-#else
- failf(data, "wolfSSL does not support SSLv3");
+ failf(data, "SSL versions not supported");
return CURLE_NOT_BUILT_IN;
-#endif
- break;
- case CURL_SSLVERSION_SSLv2:
- failf(data, "wolfSSL does not support SSLv2");
- return CURLE_SSL_CONNECT_ERROR;
default:
failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
return CURLE_SSL_CONNECT_ERROR;