Commit ad34a2d5 authored by Gergely Nagy's avatar Gergely Nagy Committed by Daniel Stenberg
Browse files

SSL: protocol version can be specified more precisely 

CURL_SSLVERSION_TLSv1_0, CURL_SSLVERSION_TLSv1_1,
CURL_SSLVERSION_TLSv1_2 enum values are added to force exact TLS version
(CURL_SSLVERSION_TLSv1 means TLS 1.x).

axTLS:
axTLS only supports TLS 1.0 and 1.1 but it cannot be set that only one
of these should be used, so we don't allow the new enum values.

darwinssl:
Added support for the new enum values.

SChannel:
Added support for the new enum values.

CyaSSL:
Added support for the new enum values.
Bug: The original CURL_SSLVERSION_TLSv1 value enables only TLS 1.0 (it
did the same before this commit), because CyaSSL cannot be configured to
use TLS 1.0-1.2.

GSKit:
GSKit doesn't seem to support TLS 1.1 and TLS 1.2, so we do not allow
those values.
Bugfix: There was a typo that caused wrong SSL versions to be passed to
GSKit.

NSS:
TLS minor version cannot be set, so we don't allow the new enum values.

QsoSSL:
TLS minor version cannot be set, so we don't allow the new enum values.

OpenSSL:
Added support for the new enum values.
Bugfix: The original CURL_SSLVERSION_TLSv1 value enabled only TLS 1.0,
now it enables 1.0-1.2.

Command-line tool:
Added command line options for the new values.
parent 31e106c0

docs/libcurl/curl_easy_setopt.3

+7 −1
Original line number Diff line number Diff line
@@ -2417,11 +2417,17 @@ The default action. This will attempt to figure out the remote SSL protocol 
version, i.e. either SSLv3 or TLSv1 (but not SSLv2, which became disabled

by default with 7.18.1).

.IP CURL_SSLVERSION_TLSv1

Force TLSv1

Force TLSv1.x

.IP CURL_SSLVERSION_SSLv2

Force SSLv2

.IP CURL_SSLVERSION_SSLv3

Force SSLv3

.IP CURL_SSLVERSION_TLSv1_0

Force TLSv1.0

.IP CURL_SSLVERSION_TLSv1_1

Force TLSv1.1

.IP CURL_SSLVERSION_TLSv1_2

Force TLSv1.2

.RE

.IP CURLOPT_SSL_VERIFYPEER

Pass a long as parameter. By default, curl assumes a value of 1.

docs/libcurl/symbols-in-versions

+3 −0
Original line number Diff line number Diff line
@@ -695,6 +695,9 @@ CURL_SSLVERSION_DEFAULT 7.9.2 
CURL_SSLVERSION_SSLv2           7.9.2

CURL_SSLVERSION_SSLv3           7.9.2

CURL_SSLVERSION_TLSv1           7.9.2

CURL_SSLVERSION_TLSv1_0         7.33.0

CURL_SSLVERSION_TLSv1_1         7.33.0

CURL_SSLVERSION_TLSv1_2         7.33.0

CURL_TIMECOND_IFMODSINCE        7.9.7

CURL_TIMECOND_IFUNMODSINCE      7.9.7

CURL_TIMECOND_LASTMOD           7.9.7

include/curl/curl.h

+4 −1
Original line number Diff line number Diff line
@@ -1659,9 +1659,12 @@ enum CURL_NETRC_OPTION { 


enum {

  CURL_SSLVERSION_DEFAULT,

  CURL_SSLVERSION_TLSv1,

  CURL_SSLVERSION_TLSv1, /* TLS 1.x */

  CURL_SSLVERSION_SSLv2,

  CURL_SSLVERSION_SSLv3,

  CURL_SSLVERSION_TLSv1_0,

  CURL_SSLVERSION_TLSv1_1,

  CURL_SSLVERSION_TLSv1_2,



  CURL_SSLVERSION_LAST /* never use, keep last */

};

lib/axtls.c

+2 −1
Original line number Diff line number Diff line
@@ -164,7 +164,8 @@ static CURLcode connect_prep(struct connectdata *conn, int sockindex) 
  case CURL_SSLVERSION_TLSv1:

    break;

  default:

    failf(data, "axTLS only supports TLSv1");

    failf(data, "axTLS only supports TLS 1.0 and 1.1, "

          "and it cannot be specified which one to use");

    return CURLE_SSL_CONNECT_ERROR;

  }

lib/curl_darwinssl.c

+34 −0
Original line number Diff line number Diff line
@@ -1056,6 +1056,18 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, 
        (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol1);

        (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol12);

        break;

      case CURL_SSLVERSION_TLSv1_0:

        (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol1);

        (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol1);

        break;

      case CURL_SSLVERSION_TLSv1_1:

        (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol11);

        (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol11);

        break;

      case CURL_SSLVERSION_TLSv1_2:

        (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol12);

        (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol12);

        break;

      case CURL_SSLVERSION_SSLv3:

        (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kSSLProtocol3);

        (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kSSLProtocol3);
@@ -1100,6 +1112,21 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, 
                                           kTLSProtocol12,

                                           true);

        break;

      case CURL_SSLVERSION_TLSv1_0:

        (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,

                                           kTLSProtocol1,

                                           true);

        break;

      case CURL_SSLVERSION_TLSv1_1:

        (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,

                                           kTLSProtocol11,

                                           true);

        break;

      case CURL_SSLVERSION_TLSv1_2:

        (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,

                                           kTLSProtocol12,

                                           true);

        break;

      case CURL_SSLVERSION_SSLv3:

        (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,

                                           kSSLProtocol3,
@@ -1130,10 +1157,17 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, 
                                         true);

      break;

    case CURL_SSLVERSION_TLSv1:

    case CURL_SSLVERSION_TLSv1_0:

      (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,

                                         kTLSProtocol1,

                                         true);

      break;

    case CURL_SSLVERSION_TLSv1_1:

      failf(data, "Your version of the OS does not support TLSv1.1");

      return CURLE_SSL_CONNECT_ERROR;

    case CURL_SSLVERSION_TLSv1_2:

      failf(data, "Your version of the OS does not support TLSv1.2");

      return CURLE_SSL_CONNECT_ERROR;

    case CURL_SSLVERSION_SSLv2:

      err = SSLSetProtocolVersionEnabled(connssl->ssl_ctx,

                                         kSSLProtocol2,