CURL_SSLVERSION_MAX_TLS options are ignored by gnutls #6998
Description
I did this
I'm using libcurl in a C application. I want to use a TLS version <= 1.2, so I specify CURL_SSLVERSION_MAX_TLSv1_2. Here's a minimal example:
#include <curl/curl.h>
int main(int argc, char** argv)
{
CURL* curl = curl_easy_init();
curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
curl_easy_setopt(curl, CURLOPT_URL, "https://www.google.com/");
curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_MAX_TLSv1_2);
CURLcode res = curl_easy_perform(curl);
if (res != CURLE_OK) {
printf("Error: %s\n", curl_easy_strerror(res));
}
curl_easy_cleanup(curl);
return (int)res;
}I expected the following
When I ran the program, I expected to see SSL connection using TLS1.2, but instead I see SSL connection using TLS1.3.
curl/libcurl version
[curl -V output]
curl 7.74.0 (x86_64-pc-linux-gnu) libcurl/7.74.0 OpenSSL/1.1.1d zlib/1.2.11 brotli/1.0.7 libidn2/2.0.5 libpsl/0.20.2 (+libidn2/2.0.5) libssh2/1.8.0 nghttp2/1.36.0 librtmp/2.3
Release-Date: 2020-12-09
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets
I got the same result building from source revision 7645324 .
workaround
Since TLS 1.0 is the minimum version supported by this libcurl, if I instead write CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_2, libcurl will use TLS <= 1.2 .
background
When libcurl 7.74 was made available to debian buster through a backport, TLS 1.3 was also enabled (with gnutls) (because of #5223 ). Some sites don't seem to work with buster's gnutls version (3.6.7) with TLS 1.3, so I want to disable it (see also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987188 ).
With openssl, CURL_SSLVERSION_MAX_TLSv1_2 does restrict TLS <= 1.2 .
operating system
debian buster
Linux dc 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 GNU/Linux