generic-library/curl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

applied patch to disable SSLv2 by default; discussion:

Browse Source 
http://sourceforge.net/tracker/index.php?func=detail&aid=1767276&group_id=976&atid=350976
Submitted by Kaspar Brand.
This commit is contained in:
Gunter Knauf 2008-02-19 23:10:07 +00:00
parent 0cae201044
commit f9a6062081
4 changed files with 13 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
docs/libcurl/curl_easy_setopt.3
View File

@ -1379,10 +1379,9 @@ Pass a long as parameter to control what version of SSL/TLS to attempt to use.
The available options are: The available options are:
.RS .RS
.IP CURL_SSLVERSION_DEFAULT .IP CURL_SSLVERSION_DEFAULT
The default action. When libcurl built with OpenSSL or NSS, this will attempt The default action. This will attempt to figure out the remote SSL protocol
to figure out the remote SSL protocol version. Unfortunately there are a lot of version, i.e. either SSLv3 or TLSv1 (but not SSLv2, which became disabled
ancient and broken servers in use which cannot handle this technique and will by default with 7.18.1).
fail to connect. When libcurl is built with GnuTLS, this will mean SSLv3.
.IP CURL_SSLVERSION_TLSv1 .IP CURL_SSLVERSION_TLSv1
Force TLSv1 Force TLSv1
.IP CURL_SSLVERSION_SSLv2 .IP CURL_SSLVERSION_SSLv2

5
lib/nss.c
View File

@ -873,7 +873,7 @@ CURLcode Curl_nss_connect(struct connectdata * conn, int sockindex)
switch (data->set.ssl.version) { switch (data->set.ssl.version) {
default: default:
case CURL_SSLVERSION_DEFAULT: case CURL_SSLVERSION_DEFAULT:
ssl2 = ssl3 = tlsv1 = PR_TRUE; ssl3 = tlsv1 = PR_TRUE;
break; break;
case CURL_SSLVERSION_TLSv1: case CURL_SSLVERSION_TLSv1:
tlsv1 = PR_TRUE; tlsv1 = PR_TRUE;
@ -893,6 +893,9 @@ CURLcode Curl_nss_connect(struct connectdata * conn, int sockindex)
if(SSL_OptionSet(model, SSL_ENABLE_TLS, tlsv1) != SECSuccess) if(SSL_OptionSet(model, SSL_ENABLE_TLS, tlsv1) != SECSuccess)
goto error; goto error;
if(SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, ssl2) != SECSuccess)
goto error;
if(data->set.ssl.cipher_list) { if(data->set.ssl.cipher_list) {
if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) { if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) {
curlerr = CURLE_SSL_CIPHER; curlerr = CURLE_SSL_CIPHER;

4
lib/qssl.c
View File

@ -90,7 +90,7 @@ static CURLcode Curl_qsossl_init_session(struct SessionHandle * data)
memset((char *) &initappstr, 0, sizeof initappstr); memset((char *) &initappstr, 0, sizeof initappstr);
initappstr.applicationID = certname; initappstr.applicationID = certname;
initappstr.applicationIDLen = strlen(certname); initappstr.applicationIDLen = strlen(certname);
initappstr.protocol = SSL_VERSION_CURRENT; initappstr.protocol = TLSV1_SSLV3;
initappstr.sessionType = SSL_REGISTERED_AS_CLIENT; initappstr.sessionType = SSL_REGISTERED_AS_CLIENT;
rc = SSL_Init_Application(&initappstr); rc = SSL_Init_Application(&initappstr);
@ -190,7 +190,7 @@ static CURLcode Curl_qsossl_handshake(struct connectdata * conn, int sockindex)
default: default:
case CURL_SSLVERSION_DEFAULT: case CURL_SSLVERSION_DEFAULT:
h->protocol = SSL_VERSION_CURRENT; h->protocol = TLSV1_SSLV3;
break; break;
case CURL_SSLVERSION_TLSv1: case CURL_SSLVERSION_TLSv1:

4
lib/ssluse.c
View File

@ -1324,6 +1324,10 @@ ossl_connect_step1(struct connectdata *conn,
*/ */
SSL_CTX_set_options(connssl->ctx, SSL_OP_ALL); SSL_CTX_set_options(connssl->ctx, SSL_OP_ALL);
/* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */
if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT)
SSL_CTX_set_options(connssl->ctx, SSL_OP_NO_SSLv2);
#if 0 #if 0
/* /*
* Not sure it's needed to tell SSL_connect() that socket is * Not sure it's needed to tell SSL_connect() that socket is