Commit f203edc5 authored by Jay Satiro's avatar Jay Satiro Committed by Daniel Stenberg
Browse files

cyassl: Set minimum protocol version before CTX callback 

This change is to allow the user's CTX callback to change the minimum
protocol version in the CTX without us later overriding it, as we did
prior to this change.
parent e2a9ebb3

lib/vtls/cyassl.c

+23 −17
Original line number Diff line number Diff line
@@ -94,8 +94,8 @@ cyassl_connect_step1(struct connectdata *conn, 
  switch(data->set.ssl.version) {

  case CURL_SSLVERSION_DEFAULT:

  case CURL_SSLVERSION_TLSv1:

#if LIBCYASSL_VERSION_HEX >= 0x03003000 /* 3.3.0 */

    /* the minimum version is set later after the SSL object is created */

#if LIBCYASSL_VERSION_HEX >= 0x03003000 /* >= 3.3.0 */

    /* minimum protocol version is set later after the CTX object is created */

    req_method = SSLv23_client_method();

#else

    infof(data, "CyaSSL <3.3.0 cannot be configured to use TLS 1.0-1.2, "
@@ -137,6 +137,27 @@ cyassl_connect_step1(struct connectdata *conn, 
    return CURLE_OUT_OF_MEMORY;

  }



  switch(data->set.ssl.version) {

  case CURL_SSLVERSION_DEFAULT:

  case CURL_SSLVERSION_TLSv1:

#if LIBCYASSL_VERSION_HEX > 0x03004006 /* > 3.4.6 */

    /* Versions 3.3.0 to 3.4.6 we know the minimum protocol version is whatever

    minimum version of TLS was built in and at least TLS 1.0. For later library

    versions that could change (eg TLS 1.0 built in but defaults to TLS 1.1) so

    we have this short circuit evaluation to find the minimum supported TLS

    version. We use wolfSSL_CTX_SetMinVersion and not CyaSSL_SetMinVersion

    because only the former will work before the user's CTX callback is called.

    */

    if((wolfSSL_CTX_SetMinVersion(conssl->ctx, WOLFSSL_TLSV1) != 1) &&

       (wolfSSL_CTX_SetMinVersion(conssl->ctx, WOLFSSL_TLSV1_1) != 1) &&

       (wolfSSL_CTX_SetMinVersion(conssl->ctx, WOLFSSL_TLSV1_2) != 1)) {

      failf(data, "SSL: couldn't set the minimum protocol version");

      return CURLE_SSL_CONNECT_ERROR;

    }

#endif

    break;

  }



#ifndef NO_FILESYSTEM

  /* load trusted cacert */

  if(data->set.str[STRING_SSL_CAFILE]) {
@@ -230,21 +251,6 @@ cyassl_connect_step1(struct connectdata *conn, 
    return CURLE_OUT_OF_MEMORY;

  }



  switch(data->set.ssl.version) {

  case CURL_SSLVERSION_DEFAULT:

  case CURL_SSLVERSION_TLSv1:

#if LIBCYASSL_VERSION_HEX >= 0x03003000 /* >= 3.3.0 */

    /* short circuit evaluation to find minimum supported TLS version */

    if((CyaSSL_SetMinVersion(conssl->handle, CYASSL_TLSV1) != SSL_SUCCESS) &&

       (CyaSSL_SetMinVersion(conssl->handle, CYASSL_TLSV1_1) != SSL_SUCCESS) &&

       (CyaSSL_SetMinVersion(conssl->handle, CYASSL_TLSV1_2) != SSL_SUCCESS)) {

      failf(data, "SSL: couldn't set the minimum protocol version");

      return CURLE_SSL_CONNECT_ERROR;

    }

#endif

    break;

  }



  /* Check if there's a cached ID we can/should use here! */

  if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL)) {

    /* we got a session id, use it! */