generic-library/curl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

SSL: Remove SSLv3 from SSL default due to POODLE attack

Browse Source 
- Remove SSLv3 from SSL default in darwinssl, schannel, cyassl, nss,
openssl effectively making the default TLS 1.x. axTLS is not affected
since it supports only TLS, and gnutls is not affected since it already
defaults to TLS 1.x.

- Update CURLOPT_SSLVERSION doc
This commit is contained in:
Jay Satiro
2014-10-24 13:41:56 +02:00
committed by Daniel Stenberg
parent 2b04257491
commit ec783dc142
6 changed files with 17 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
lib/vtls/openssl.c
View File

@@ -1649,16 +1649,6 @@ ossl_connect_step1(struct connectdata *conn,
#endif
switch(data->set.ssl.version) {
case CURL_SSLVERSION_DEFAULT:
ctx_options |= SSL_OP_NO_SSLv2;
#ifdef USE_TLS_SRP
if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
infof(data, "Set version TLSv1.x for SRP authorisation\n");
ctx_options |= SSL_OP_NO_SSLv3;
}
#endif
break;
case CURL_SSLVERSION_SSLv3:
ctx_options |= SSL_OP_NO_SSLv2;
ctx_options |= SSL_OP_NO_TLSv1;
@@ -1668,6 +1658,12 @@ ossl_connect_step1(struct connectdata *conn,
#endif
break;
case CURL_SSLVERSION_DEFAULT:
#ifdef USE_TLS_SRP
if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
infof(data, "Set version TLSv1.x for SRP authorisation\n");
}
#endif
case CURL_SSLVERSION_TLSv1:
ctx_options |= SSL_OP_NO_SSLv2;
ctx_options |= SSL_OP_NO_SSLv3;