Commit 6a136312 authored by Steve Holme's avatar Steve Holme
Browse files

SSL: Added unsupported cipher version check for OpenSSL 

...with the use of CURL_SSLVERSION_TLSv1_1 and CURL_SSLVERSION_TLSv1_2
being conditional on OpenSSL v1.0.1 as the appropriate flags are not
supported under earlier versions.
parent 75b9b264

lib/ssluse.c

+10 −0
Original line number Diff line number Diff line
@@ -1559,10 +1559,12 @@ ossl_connect_step1(struct connectdata *conn, 
    }

#endif

    break;



  case CURL_SSLVERSION_TLSv1:

    ctx_options |= SSL_OP_NO_SSLv2;

    ctx_options |= SSL_OP_NO_SSLv3;

    break;



  case CURL_SSLVERSION_TLSv1_0:

    ctx_options |= SSL_OP_NO_SSLv2;

    ctx_options |= SSL_OP_NO_SSLv3;
@@ -1573,6 +1575,8 @@ ossl_connect_step1(struct connectdata *conn, 
    ctx_options |= SSL_OP_NO_TLSv1_2;

#endif

    break;



#if OPENSSL_VERSION_NUMBER >= 0x1000100FL

  case CURL_SSLVERSION_TLSv1_1:

    ctx_options |= SSL_OP_NO_SSLv2;

    ctx_options |= SSL_OP_NO_SSLv3;
@@ -1581,6 +1585,7 @@ ossl_connect_step1(struct connectdata *conn, 
    ctx_options |= SSL_OP_NO_TLSv1_2;

#endif

    break;



  case CURL_SSLVERSION_TLSv1_2:

    ctx_options |= SSL_OP_NO_SSLv2;

    ctx_options |= SSL_OP_NO_SSLv3;
@@ -1589,6 +1594,11 @@ ossl_connect_step1(struct connectdata *conn, 
    ctx_options |= SSL_OP_NO_TLSv1_1;

#endif

    break;

#endif



  default:

    failf(data, "Unsupported cipher version");

    return CURLE_SSL_CIPHER;

  }



  SSL_CTX_set_options(connssl->ctx, ctx_options);