OpenSSL: Fix forcing SSLv3 connections

Some feedback provided by byte_bucket on IRC pointed out that commit db11750cfa5b1 wasn’t really correct because it allows for “upgrading” to a newer protocol when it should be only allowing for SSLv3. This change fixes that. When SSLv3 connection is forced, don't allow SSL negotiations for newer versions. Feedback provided by byte_bucket in #curl. This behavior is also consistent with the other force flags like --tlsv1.1 which doesn't allow for TLSv1.2 negotiation, etc Feedback-by: byte_bucket Bug: http://curl.haxx.se/bug/view.cgi?id=1319
2014-01-01 23:50:45 +01:00 · 2014-01-01 23:50:45 +01:00 · 4bb7400529
commit 4bb7400529
parent 303172d220
1 changed files with 9 additions and 1 deletions
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@ -1551,7 +1551,6 @@ ossl_connect_step1(struct connectdata *conn,

  switch(data->set.ssl.version) {
  case CURL_SSLVERSION_DEFAULT:
-  case CURL_SSLVERSION_SSLv3:
    ctx_options |= SSL_OP_NO_SSLv2;
 #ifdef USE_TLS_SRP
    if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
@ -1561,6 +1560,15 @@ ossl_connect_step1(struct connectdata *conn,
 #endif
    break;

+  case CURL_SSLVERSION_SSLv3:
+    ctx_options |= SSL_OP_NO_SSLv2;
+    ctx_options |= SSL_OP_NO_TLSv1;
+#if OPENSSL_VERSION_NUMBER >= 0x1000100FL
+    ctx_options |= SSL_OP_NO_TLSv1_1;
+    ctx_options |= SSL_OP_NO_TLSv1_2;
+#endif
+    break;
+
  case CURL_SSLVERSION_TLSv1:
    ctx_options |= SSL_OP_NO_SSLv2;
    ctx_options |= SSL_OP_NO_SSLv3;