SSL: Remove SSLv3 from SSL default due to POODLE attack
- Remove SSLv3 from SSL default in darwinssl, schannel, cyassl, nss, openssl effectively making the default TLS 1.x. axTLS is not affected since it supports only TLS, and gnutls is not affected since it already defaults to TLS 1.x. - Update CURLOPT_SSLVERSION doc
This commit is contained in:
parent
2b04257491
commit
ec783dc142
@ -35,7 +35,7 @@ Use one of the available defines for this purpose. The available options are:
|
||||
.RS
|
||||
.IP CURL_SSLVERSION_DEFAULT
|
||||
The default action. This will attempt to figure out the remote SSL protocol
|
||||
version, i.e. either SSLv3 or TLSv1
|
||||
version.
|
||||
.IP CURL_SSLVERSION_TLSv1
|
||||
TLSv1.x
|
||||
.IP CURL_SSLVERSION_SSLv2
|
||||
@ -69,6 +69,8 @@ if(curl) {
|
||||
.SH AVAILABILITY
|
||||
SSLv2 is disabled by default since 7.18.1. Other SSL versions availability may
|
||||
vary depending on which backend libcurl has been built to use.
|
||||
|
||||
SSLv3 is disabled by default since 7.39.0.
|
||||
.SH RETURN VALUE
|
||||
Returns CURLE_OK if the option is supported, and CURLE_UNKNOWN_OPTION if not.
|
||||
.SH "SEE ALSO"
|
||||
|
@ -1057,10 +1057,8 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
|
||||
#if CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS
|
||||
if(SSLSetProtocolVersionMax != NULL) {
|
||||
switch(data->set.ssl.version) {
|
||||
case CURL_SSLVERSION_DEFAULT: default:
|
||||
(void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kSSLProtocol3);
|
||||
(void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol12);
|
||||
break;
|
||||
default:
|
||||
case CURL_SSLVERSION_DEFAULT:
|
||||
case CURL_SSLVERSION_TLSv1:
|
||||
(void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol1);
|
||||
(void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol12);
|
||||
@ -1096,20 +1094,8 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
|
||||
kSSLProtocolAll,
|
||||
false);
|
||||
switch (data->set.ssl.version) {
|
||||
case CURL_SSLVERSION_DEFAULT: default:
|
||||
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
|
||||
kSSLProtocol3,
|
||||
true);
|
||||
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
|
||||
kTLSProtocol1,
|
||||
true);
|
||||
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
|
||||
kTLSProtocol11,
|
||||
true);
|
||||
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
|
||||
kTLSProtocol12,
|
||||
true);
|
||||
break;
|
||||
default:
|
||||
case CURL_SSLVERSION_DEFAULT:
|
||||
case CURL_SSLVERSION_TLSv1:
|
||||
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
|
||||
kTLSProtocol1,
|
||||
@ -1158,13 +1144,6 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
|
||||
switch(data->set.ssl.version) {
|
||||
default:
|
||||
case CURL_SSLVERSION_DEFAULT:
|
||||
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
|
||||
kSSLProtocol3,
|
||||
true);
|
||||
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
|
||||
kTLSProtocol1,
|
||||
true);
|
||||
break;
|
||||
case CURL_SSLVERSION_TLSv1:
|
||||
case CURL_SSLVERSION_TLSv1_0:
|
||||
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
|
||||
|
@ -164,6 +164,8 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
|
||||
}
|
||||
|
||||
switch(data->set.ssl.version) {
|
||||
default:
|
||||
case CURL_SSLVERSION_DEFAULT:
|
||||
case CURL_SSLVERSION_TLSv1:
|
||||
schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_0_CLIENT |
|
||||
SP_PROT_TLS1_1_CLIENT |
|
||||
@ -184,12 +186,6 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
|
||||
case CURL_SSLVERSION_SSLv2:
|
||||
schannel_cred.grbitEnabledProtocols = SP_PROT_SSL2_CLIENT;
|
||||
break;
|
||||
default:
|
||||
schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_0_CLIENT |
|
||||
SP_PROT_TLS1_1_CLIENT |
|
||||
SP_PROT_TLS1_2_CLIENT |
|
||||
SP_PROT_SSL3_CLIENT;
|
||||
break;
|
||||
}
|
||||
|
||||
/* allocate memory for the re-usable credential handle */
|
||||
|
@ -99,10 +99,8 @@ cyassl_connect_step1(struct connectdata *conn,
|
||||
|
||||
/* check to see if we've been told to use an explicit SSL/TLS version */
|
||||
switch(data->set.ssl.version) {
|
||||
default:
|
||||
case CURL_SSLVERSION_DEFAULT:
|
||||
/* we try to figure out version */
|
||||
req_method = SSLv23_client_method();
|
||||
break;
|
||||
case CURL_SSLVERSION_TLSv1:
|
||||
infof(data, "CyaSSL cannot be configured to use TLS 1.0-1.2, "
|
||||
"TLS 1.0 is used exclusively\n");
|
||||
@ -120,8 +118,6 @@ cyassl_connect_step1(struct connectdata *conn,
|
||||
case CURL_SSLVERSION_SSLv3:
|
||||
req_method = SSLv3_client_method();
|
||||
break;
|
||||
default:
|
||||
req_method = TLSv1_client_method();
|
||||
}
|
||||
|
||||
if(!req_method) {
|
||||
|
@ -1345,15 +1345,8 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
|
||||
switch (data->set.ssl.version) {
|
||||
default:
|
||||
case CURL_SSLVERSION_DEFAULT:
|
||||
sslver->min = SSL_LIBRARY_VERSION_3_0;
|
||||
if(data->state.ssl_connect_retry) {
|
||||
infof(data, "TLS disabled due to previous handshake failure\n");
|
||||
sslver->max = SSL_LIBRARY_VERSION_3_0;
|
||||
return CURLE_OK;
|
||||
}
|
||||
/* intentional fall-through to default to highest TLS version if possible */
|
||||
|
||||
case CURL_SSLVERSION_TLSv1:
|
||||
sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
|
||||
#ifdef SSL_LIBRARY_VERSION_TLS_1_2
|
||||
sslver->max = SSL_LIBRARY_VERSION_TLS_1_2;
|
||||
#elif defined SSL_LIBRARY_VERSION_TLS_1_1
|
||||
|
@ -1649,16 +1649,6 @@ ossl_connect_step1(struct connectdata *conn,
|
||||
#endif
|
||||
|
||||
switch(data->set.ssl.version) {
|
||||
case CURL_SSLVERSION_DEFAULT:
|
||||
ctx_options |= SSL_OP_NO_SSLv2;
|
||||
#ifdef USE_TLS_SRP
|
||||
if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
|
||||
infof(data, "Set version TLSv1.x for SRP authorisation\n");
|
||||
ctx_options |= SSL_OP_NO_SSLv3;
|
||||
}
|
||||
#endif
|
||||
break;
|
||||
|
||||
case CURL_SSLVERSION_SSLv3:
|
||||
ctx_options |= SSL_OP_NO_SSLv2;
|
||||
ctx_options |= SSL_OP_NO_TLSv1;
|
||||
@ -1668,6 +1658,12 @@ ossl_connect_step1(struct connectdata *conn,
|
||||
#endif
|
||||
break;
|
||||
|
||||
case CURL_SSLVERSION_DEFAULT:
|
||||
#ifdef USE_TLS_SRP
|
||||
if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
|
||||
infof(data, "Set version TLSv1.x for SRP authorisation\n");
|
||||
}
|
||||
#endif
|
||||
case CURL_SSLVERSION_TLSv1:
|
||||
ctx_options |= SSL_OP_NO_SSLv2;
|
||||
ctx_options |= SSL_OP_NO_SSLv3;
|
||||
|
Loading…
x
Reference in New Issue
Block a user