generic-library/curl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

OpenSSL: Fix forcing SSLv3 connections

Browse Source 
Some feedback provided by byte_bucket on IRC pointed out that commit
db11750cfa wasn’t really correct because it allows for “upgrading” to a
newer protocol when it should be only allowing for SSLv3.

This change fixes that.

When SSLv3 connection is forced, don't allow SSL negotiations for newer
versions.  Feedback provided by byte_bucket in #curl.  This behavior is
also consistent with the other force flags like --tlsv1.1 which doesn't
allow for TLSv1.2 negotiation, etc

Feedback-by: byte_bucket
Bug: http://curl.haxx.se/bug/view.cgi?id=1319
This commit is contained in:
Barry Abrahamson
2014-01-01 23:50:45 +01:00
committed by Daniel Stenberg
parent 303172d220
commit 4bb7400529
1 changed files with 9 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
lib/vtls/openssl.c
View File

@@ -1551,7 +1551,6 @@ ossl_connect_step1(struct connectdata *conn,
switch(data->set.ssl.version) {
case CURL_SSLVERSION_DEFAULT:
case CURL_SSLVERSION_SSLv3:
ctx_options |= SSL_OP_NO_SSLv2;
#ifdef USE_TLS_SRP
if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
@@ -1561,6 +1560,15 @@ ossl_connect_step1(struct connectdata *conn,
#endif
break;
case CURL_SSLVERSION_SSLv3:
ctx_options |= SSL_OP_NO_SSLv2;
ctx_options |= SSL_OP_NO_TLSv1;
#if OPENSSL_VERSION_NUMBER >= 0x1000100FL
ctx_options |= SSL_OP_NO_TLSv1_1;
ctx_options |= SSL_OP_NO_TLSv1_2;
#endif
break;
case CURL_SSLVERSION_TLSv1:
ctx_options |= SSL_OP_NO_SSLv2;
ctx_options |= SSL_OP_NO_SSLv3;