applied patch to disable SSLv2 by default; discussion: (f9a60620) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP curl

docs/libcurl/curl_easy_setopt.3

+3 −4

Original line number	Diff line number	Diff line
		@@ -1379,10 +1379,9 @@ Pass a long as parameter to control what version of SSL/TLS to attempt to use.
		The available options are:
		.RS
		.IP CURL_SSLVERSION_DEFAULT
		The default action. When libcurl built with OpenSSL or NSS, this will attempt
		to figure out the remote SSL protocol version. Unfortunately there are a lot of
		ancient and broken servers in use which cannot handle this technique and will
		fail to connect. When libcurl is built with GnuTLS, this will mean SSLv3.
		The default action. This will attempt to figure out the remote SSL protocol
		version, i.e. either SSLv3 or TLSv1 (but not SSLv2, which became disabled
		by default with 7.18.1).
		.IP CURL_SSLVERSION_TLSv1
		Force TLSv1
		.IP CURL_SSLVERSION_SSLv2

+4 −1

Original line number	Diff line number	Diff line
		@@ -873,7 +873,7 @@ CURLcode Curl_nss_connect(struct connectdata * conn, int sockindex)
		switch (data->set.ssl.version) {
		default:
		case CURL_SSLVERSION_DEFAULT:
		ssl2 = ssl3 = tlsv1 = PR_TRUE;
		ssl3 = tlsv1 = PR_TRUE;
		break;
		case CURL_SSLVERSION_TLSv1:
		tlsv1 = PR_TRUE;
		@@ -893,6 +893,9 @@ CURLcode Curl_nss_connect(struct connectdata * conn, int sockindex)
		if(SSL_OptionSet(model, SSL_ENABLE_TLS, tlsv1) != SECSuccess)
		goto error;

		if(SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, ssl2) != SECSuccess)
		goto error;

		if(data->set.ssl.cipher_list) {
		if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) {
		curlerr = CURLE_SSL_CIPHER;

+2 −2

Original line number	Diff line number	Diff line
		@@ -90,7 +90,7 @@ static CURLcode Curl_qsossl_init_session(struct SessionHandle * data)
		memset((char *) &initappstr, 0, sizeof initappstr);
		initappstr.applicationID = certname;
		initappstr.applicationIDLen = strlen(certname);
		initappstr.protocol = SSL_VERSION_CURRENT;
		initappstr.protocol = TLSV1_SSLV3;
		initappstr.sessionType = SSL_REGISTERED_AS_CLIENT;
		rc = SSL_Init_Application(&initappstr);

		@@ -190,7 +190,7 @@ static CURLcode Curl_qsossl_handshake(struct connectdata * conn, int sockindex)

		default:
		case CURL_SSLVERSION_DEFAULT:
		h->protocol = SSL_VERSION_CURRENT;
		h->protocol = TLSV1_SSLV3;
		break;

		case CURL_SSLVERSION_TLSv1:

+4 −0

Original line number	Diff line number	Diff line
		@@ -1324,6 +1324,10 @@ ossl_connect_step1(struct connectdata *conn,
		*/
		SSL_CTX_set_options(connssl->ctx, SSL_OP_ALL);

		/* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */
		if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT)
		SSL_CTX_set_options(connssl->ctx, SSL_OP_NO_SSLv2);

		#if 0
		/*
		* Not sure it's needed to tell SSL_connect() that socket is