tls-max requires tls arguments

[andreineculau]

I did this

$ curl --tls-max 1.0 https://sprint.tobiipro.com

and then curl printed

*   Trying 52.84.213.2...
* TCP_NODELAY set
* Connected to sprint.tobiipro.com (52.84.213.2) port 443 (#0)
* ALPN, offering http/1.1
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`
...

I expected the following

I expected the connection to fail due on the SSL handshake actually, because that server does not support TLS v1.0 as shown below

$ nmap -p 443 --script ssl-enum-ciphers sprint.tobiipro.com
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-12 10:57 CET
Nmap scan report for sprint.tobiipro.com (52.84.213.2)
Host is up (0.0031s latency).
Other addresses for sprint.tobiipro.com (not scanned): 52.84.213.70 52.84.213.201 52.84.213.162

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   TLSv1.1:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 17.70 seconds

But it seems like curl --tls-max 1.0 --tlsv1.0 https://sprint.tobiipro.com works, but it is not clear from the docs that --tls-max requires a --tlsv* argument as well.

Is this intentional? Because I see #2572 fixing the situation, so maybe this is a regression actually.

curl/libcurl version

curl 7.62.0 (x86_64-apple-darwin18.0.0) libcurl/7.62.0 SecureTransport zlib/1.2.11
Release-Date: 2018-10-31
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile NTLM NTLM_WB SSL libz UnixSockets

operating system

OSX Mojave

---

cc @tobiiasl

[tobiiasl]

Also note that the help text for --tls-max is confusing. It does not describe a "max" behaviour and explicitly mentions TLSv1.0:
--tls-max <VERSION> Use TLSv1.0 or greater

[bagder]

#2572 was about OpenSSL while this bug is using the SecureTransport backend. I can confirm it happens to me too using the latest code.