[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [gnurl] 128/163: openssl: make the requested TLS version th
From: |
gnunet |
Subject: |
[GNUnet-SVN] [gnurl] 128/163: openssl: make the requested TLS version the *minimum* wanted |
Date: |
Sun, 05 Aug 2018 12:37:34 +0200 |
This is an automated email from the git hooks/post-receive script.
ng0 pushed a commit to branch master
in repository gnurl.
commit 6015cefb1b2cfde4b4850121c42405275e5e77d9
Author: Daniel Stenberg <address@hidden>
AuthorDate: Thu Jun 28 23:24:21 2018 +0200
openssl: make the requested TLS version the *minimum* wanted
The code treated the set version as the *exact* version to require in
the TLS handshake, which is not what other TLS backends do and probably
not what most people expect either.
Reported-by: Andreas Olsson
Assisted-by: Gaurav Malhotra
Fixes #2691
Closes #2694
---
docs/cmdline-opts/tlsv1.1.d | 2 +-
docs/cmdline-opts/tlsv1.2.d | 2 +-
docs/cmdline-opts/tlsv1.3.d | 2 +-
docs/libcurl/opts/CURLOPT_SSLVERSION.3 | 42 +++++++++++++++++++---------------
lib/vtls/openssl.c | 14 ++++--------
5 files changed, 32 insertions(+), 30 deletions(-)
diff --git a/docs/cmdline-opts/tlsv1.1.d b/docs/cmdline-opts/tlsv1.1.d
index 9bfdc3536..a3c10edba 100644
--- a/docs/cmdline-opts/tlsv1.1.d
+++ b/docs/cmdline-opts/tlsv1.1.d
@@ -3,4 +3,4 @@ Help: Use TLSv1.1
Protocols: TLS
Added: 7.34.0
---
-Forces curl to use TLS version 1.1 when connecting to a remote TLS server.
+Forces curl to use TLS version 1.1 or later when connecting to a remote TLS
server.
diff --git a/docs/cmdline-opts/tlsv1.2.d b/docs/cmdline-opts/tlsv1.2.d
index 6db94dc8d..8879546b7 100644
--- a/docs/cmdline-opts/tlsv1.2.d
+++ b/docs/cmdline-opts/tlsv1.2.d
@@ -3,4 +3,4 @@ Help: Use TLSv1.2
Protocols: TLS
Added: 7.34.0
---
-Forces curl to use TLS version 1.2 when connecting to a remote TLS server.
+Forces curl to use TLS version 1.2 or later when connecting to a remote TLS
server.
diff --git a/docs/cmdline-opts/tlsv1.3.d b/docs/cmdline-opts/tlsv1.3.d
index 123589653..cf32e3928 100644
--- a/docs/cmdline-opts/tlsv1.3.d
+++ b/docs/cmdline-opts/tlsv1.3.d
@@ -3,7 +3,7 @@ Help: Use TLSv1.3
Protocols: TLS
Added: 7.52.0
---
-Forces curl to use TLS version 1.3 when connecting to a remote TLS server.
+Forces curl to use TLS version 1.3 or later when connecting to a remote TLS
server.
Note that TLS 1.3 is only supported by a subset of TLS backends. At the time
of this writing, they are BoringSSL, NSS, and Secure Transport (on iOS 11 or
diff --git a/docs/libcurl/opts/CURLOPT_SSLVERSION.3
b/docs/libcurl/opts/CURLOPT_SSLVERSION.3
index 807057be5..f9b982ac1 100644
--- a/docs/libcurl/opts/CURLOPT_SSLVERSION.3
+++ b/docs/libcurl/opts/CURLOPT_SSLVERSION.3
@@ -5,7 +5,7 @@
.\" * | (__| |_| | _ <| |___
.\" * \___|\___/|_| \_\_____|
.\" *
-.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <address@hidden>, et al.
+.\" * Copyright (C) 1998 - 2015, 2018, Daniel Stenberg, <address@hidden>, et
al.
.\" *
.\" * This software is licensed as described in the file COPYING, which
.\" * you should have received as part of this distribution. The terms
@@ -28,49 +28,55 @@ CURLOPT_SSLVERSION \- set preferred TLS/SSL version
CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSLVERSION, long version);
.SH DESCRIPTION
-Pass a long as parameter to control which version of SSL/TLS to attempt to
+Pass a long as parameter to control which version range of SSL/TLS versions to
use.
+The SSL and TLS versions have typically developed from the most insecure
+version to be more and more secure in this order through history: SSL v2,
+SSLv3, TLS v1.0, TSL v1.1, TSL v1.2 and the most recent TLS v1.3.
+
Use one of the available defines for this purpose. The available options are:
.RS
.IP CURL_SSLVERSION_DEFAULT
-The default action. This will attempt to figure out the remote SSL protocol
-version.
+The default acceptable version range. The mimimum acceptable version is by
+default TLS 1.0 since 7.39.0 (unless the TLS library has a stricter rule).
.IP CURL_SSLVERSION_TLSv1
-TLSv1.x
+TLS v1.0 or later
.IP CURL_SSLVERSION_SSLv2
-SSLv2
+SSL v2 (but not SSLv3)
.IP CURL_SSLVERSION_SSLv3
-SSLv3
+SSL v3 (but not SSLv2)
.IP CURL_SSLVERSION_TLSv1_0
-TLSv1.0 (Added in 7.34.0)
+TLS v1.0 or later (Added in 7.34.0)
.IP CURL_SSLVERSION_TLSv1_1
-TLSv1.1 (Added in 7.34.0)
+TLS v1.1 or later (Added in 7.34.0)
.IP CURL_SSLVERSION_TLSv1_2
-TLSv1.2 (Added in 7.34.0)
+TLS v1.2 or later (Added in 7.34.0)
.IP CURL_SSLVERSION_TLSv1_3
-TLSv1.3 (Added in 7.52.0)
+TLS v1.3 or later (Added in 7.52.0)
.RE
+
The maximum TLS version can be set by using \fIone\fP of the
CURL_SSLVERSION_MAX_ macros below. It is also possible to OR \fIone\fP of the
CURL_SSLVERSION_ macros with \fIone\fP of the CURL_SSLVERSION_MAX_ macros.
The MAX macros are not supported for SSL backends axTLS or wolfSSL.
.RS
.IP CURL_SSLVERSION_MAX_DEFAULT
-The flag defines the maximum supported TLS version as TLSv1.2, or the default
-value from the SSL library.
-(Added in 7.54.0)
+The flag defines the maximum supported TLS version by libcurl, or the default
+value from the SSL library is used. libcurl will use a sensible default
+maximum, which was TLS 1.2 up to before 7.61.0 and is TLS 1.3 since then -
+assuming the TLS library support it. (Added in 7.54.0)
.IP CURL_SSLVERSION_MAX_TLSv1_0
-The flag defines maximum supported TLS version as TLSv1.0.
+The flag defines maximum supported TLS version as TLS v1.0.
(Added in 7.54.0)
.IP CURL_SSLVERSION_MAX_TLSv1_1
-The flag defines maximum supported TLS version as TLSv1.1.
+The flag defines maximum supported TLS version as TLS v1.1.
(Added in 7.54.0)
.IP CURL_SSLVERSION_MAX_TLSv1_2
-The flag defines maximum supported TLS version as TLSv1.2.
+The flag defines maximum supported TLS version as TLS v1.2.
(Added in 7.54.0)
.IP CURL_SSLVERSION_MAX_TLSv1_3
-The flag defines maximum supported TLS version as TLSv1.3.
+The flag defines maximum supported TLS version as TLS v1.3.
(Added in 7.54.0)
.RE
.SH DEFAULT
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 225b4cbd1..fc2e4ac08 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2078,10 +2078,6 @@ set_ssl_version_min_max(long *ctx_options, struct
connectdata *conn,
long ssl_version = SSL_CONN_CONFIG(version);
long ssl_version_max = SSL_CONN_CONFIG(version_max);
- if(ssl_version_max == CURL_SSLVERSION_MAX_NONE) {
- ssl_version_max = ssl_version << 16;
- }
-
switch(ssl_version) {
case CURL_SSLVERSION_TLSv1_3:
#ifdef TLS1_3_VERSION
@@ -2113,8 +2109,7 @@ set_ssl_version_min_max(long *ctx_options, struct
connectdata *conn,
#endif
/* FALLTHROUGH */
case CURL_SSLVERSION_TLSv1_0:
- *ctx_options |= SSL_OP_NO_SSLv2;
- *ctx_options |= SSL_OP_NO_SSLv3;
+ case CURL_SSLVERSION_TLSv1:
break;
}
@@ -2337,13 +2332,14 @@ static CURLcode ossl_connect_step1(struct connectdata
*conn, int sockindex)
case CURL_SSLVERSION_DEFAULT:
case CURL_SSLVERSION_TLSv1:
- ctx_options |= SSL_OP_NO_SSLv2;
- ctx_options |= SSL_OP_NO_SSLv3;
- /* FALLTHROUGH */
case CURL_SSLVERSION_TLSv1_0:
case CURL_SSLVERSION_TLSv1_1:
case CURL_SSLVERSION_TLSv1_2:
case CURL_SSLVERSION_TLSv1_3:
+ /* asking for any TLS version as the minimum, means no SSL versions
+ allowed */
+ ctx_options |= SSL_OP_NO_SSLv2;
+ ctx_options |= SSL_OP_NO_SSLv3;
result = set_ssl_version_min_max(&ctx_options, conn, sockindex);
if(result != CURLE_OK)
return result;
--
To stop receiving notification emails like this one, please contact
address@hidden
- [GNUnet-SVN] [gnurl] 112/163: CURLOPT_SSL_VERIFYPEER.3: Add performance note, (continued)
- [GNUnet-SVN] [gnurl] 112/163: CURLOPT_SSL_VERIFYPEER.3: Add performance note, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 88/163: TODO: "Option to refuse usernames in URLs" done, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 126/163: openssl: allow TLS 1.3 by default, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 61/163: KNOWN_BUGS: CURL_GLOBAL_SSL, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 57/163: option: disallow username in URL, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 102/163: runtests.pl: remove debug leftover from bb9a340c73f3, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 87/163: Curl_init_do: handle NULL connection pointer passed in, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 146/163: scripts: include _curl as part of CLEANFILES, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 105/163: travis: run more tests for coverage check, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 99/163: RELEASE-PROCEDURE: gpg sign the tags, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 128/163: openssl: make the requested TLS version the *minimum* wanted,
gnunet <=
- [GNUnet-SVN] [gnurl] 65/163: CURLOPT_RESOLVE: always purge old entry first, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 76/163: mk-ca-bundle.pl: leave certificate name untouched in decode(), gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 92/163: KNOWN_BUGS: NTLM doen't support password with ยง character, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 94/163: configure: use pkg-config for c-ares detection, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 98/163: RELEASE-NOTES: synced, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 93/163: GOVERNANCE.md: explains how this project is run, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 101/163: curl-confopts.m4: fix typo from ed224f23d5beb, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 153/163: lib/curl_setup.h: remove unicode bom from 8272ec50f02, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 134/163: DEPRECATE: mention the PR that disabled axTLS, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 133/163: docs/DEPRECATE.md: spelling and minor formatting, gnunet, 2018/08/05