I got the same result building from source revision 7645324 .
Since TLS 1.0 is the minimum version supported by this libcurl, if I instead write CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_2, libcurl will use TLS <= 1.2 .
When libcurl 7.74 was made available to debian buster through a backport, TLS 1.3 was also enabled (with gnutls) (because of #5223 ). Some sites don't seem to work with buster's gnutls version (3.6.7) with TLS 1.3, so I want to disable it (see also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987188 ).
With openssl, CURL_SSLVERSION_MAX_TLSv1_2 does restrict TLS <= 1.2 .
Linux dc 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 GNU/Linux
The text was updated successfully, but these errors were encountered:
Previously, settting only the max allowed TLS version, leaving the
minimum one at default, didn't actually set it and left it to default
(TLS 1.3) too!
As a bonus, this change also removes the dead code handling of SSLv3
since that version can't be set anymore (since eff614f).
Reported-by: Daniel Carpenter