Commit 65e556d0 authored by Steve Holme's avatar Steve Holme
Browse files

SSL: Follow up work to commits 6a136312 and 87861c9b 

Changed the failure code when TLS v1.1 and v1.2 is requested but not
supported by older OpenSSL versions, following review from libcurl
peers, and reduced the number of required preprocessor if statements.
parent 6a136312

lib/ssluse.c

+3 −9
Original line number Diff line number Diff line
@@ -1568,10 +1568,8 @@ ossl_connect_step1(struct connectdata *conn, 
  case CURL_SSLVERSION_TLSv1_0:

    ctx_options |= SSL_OP_NO_SSLv2;

    ctx_options |= SSL_OP_NO_SSLv3;

#if defined(SSL_OP_NO_TLSv1_1)

#if OPENSSL_VERSION_NUMBER >= 0x1000100FL

    ctx_options |= SSL_OP_NO_TLSv1_1;

#endif

#if defined(SSL_OP_NO_TLSv1_2)

    ctx_options |= SSL_OP_NO_TLSv1_2;

#endif

    break;
@@ -1581,24 +1579,20 @@ ossl_connect_step1(struct connectdata *conn, 
    ctx_options |= SSL_OP_NO_SSLv2;

    ctx_options |= SSL_OP_NO_SSLv3;

    ctx_options |= SSL_OP_NO_TLSv1;

#if defined(SSL_OP_NO_TLSv1_2)

    ctx_options |= SSL_OP_NO_TLSv1_2;

#endif

    break;



  case CURL_SSLVERSION_TLSv1_2:

    ctx_options |= SSL_OP_NO_SSLv2;

    ctx_options |= SSL_OP_NO_SSLv3;

    ctx_options |= SSL_OP_NO_TLSv1;

#if defined(SSL_OP_NO_TLSv1_1)

    ctx_options |= SSL_OP_NO_TLSv1_1;

#endif

    break;

#endif



  default:

    failf(data, "Unsupported cipher version");

    return CURLE_SSL_CIPHER;

    failf(data, "Unsupported SSL protocol version");

    return CURLE_SSL_CONNECT_ERROR;

  }



  SSL_CTX_set_options(connssl->ctx, ctx_options);