Commit 4bb74005 authored Jan 01, 2014 by Barry Abrahamson Committed by Daniel Stenberg Jan 02, 2014

OpenSSL: Fix forcing SSLv3 connections

Some feedback provided by byte_bucket on IRC pointed out that commit
db11750c wasn’t really correct because it allows for “upgrading” to a
newer protocol when it should be only allowing for SSLv3.

This change fixes that.

When SSLv3 connection is forced, don't allow SSL negotiations for newer
versions.  Feedback provided by byte_bucket in #curl.  This behavior is
also consistent with the other force flags like --tlsv1.1 which doesn't
allow for TLSv1.2 negotiation, etc

Feedback-by: byte_bucket
Bug: http://curl.haxx.se/bug/view.cgi?id=1319

parent 303172d2

lib/vtls/openssl.c

+9 −1

Original line number	Diff line number	Diff line
		@@ -1551,7 +1551,6 @@ ossl_connect_step1(struct connectdata *conn,

		switch(data->set.ssl.version) {
		case CURL_SSLVERSION_DEFAULT:
		case CURL_SSLVERSION_SSLv3:
		ctx_options \|= SSL_OP_NO_SSLv2;
		#ifdef USE_TLS_SRP
		if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
		@@ -1561,6 +1560,15 @@ ossl_connect_step1(struct connectdata *conn,
		#endif
		break;

		case CURL_SSLVERSION_SSLv3:
		ctx_options \|= SSL_OP_NO_SSLv2;
		ctx_options \|= SSL_OP_NO_TLSv1;
		#if OPENSSL_VERSION_NUMBER >= 0x1000100FL
		ctx_options \|= SSL_OP_NO_TLSv1_1;
		ctx_options \|= SSL_OP_NO_TLSv1_2;
		#endif
		break;

		case CURL_SSLVERSION_TLSv1:
		ctx_options \|= SSL_OP_NO_SSLv2;
		ctx_options \|= SSL_OP_NO_SSLv3;