Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CURL_SSLVERSION_MAX_TLS options are ignored by gnutls #6998

Closed
dansebcar opened this issue May 4, 2021 · 0 comments
Closed

CURL_SSLVERSION_MAX_TLS options are ignored by gnutls #6998

dansebcar opened this issue May 4, 2021 · 0 comments
Assignees
Labels

Comments

@dansebcar
Copy link

@dansebcar dansebcar commented May 4, 2021

I did this

I'm using libcurl in a C application. I want to use a TLS version <= 1.2, so I specify CURL_SSLVERSION_MAX_TLSv1_2. Here's a minimal example:

#include <curl/curl.h>

int main(int argc, char** argv)
{
	CURL* curl = curl_easy_init();
	curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
	curl_easy_setopt(curl, CURLOPT_URL, "https://www.google.com/");

	curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_MAX_TLSv1_2);

	CURLcode res = curl_easy_perform(curl);
	if (res != CURLE_OK) {
		printf("Error: %s\n", curl_easy_strerror(res));
	}
	curl_easy_cleanup(curl);

	return (int)res;
}

I expected the following

When I ran the program, I expected to see SSL connection using TLS1.2, but instead I see SSL connection using TLS1.3.

curl/libcurl version

[curl -V output]

curl 7.74.0 (x86_64-pc-linux-gnu) libcurl/7.74.0 OpenSSL/1.1.1d zlib/1.2.11 brotli/1.0.7 libidn2/2.0.5 libpsl/0.20.2 (+libidn2/2.0.5) libssh2/1.8.0 nghttp2/1.36.0 librtmp/2.3
Release-Date: 2020-12-09
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets

I got the same result building from source revision 7645324 .

workaround

Since TLS 1.0 is the minimum version supported by this libcurl, if I instead write CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_2, libcurl will use TLS <= 1.2 .

background

When libcurl 7.74 was made available to debian buster through a backport, TLS 1.3 was also enabled (with gnutls) (because of #5223 ). Some sites don't seem to work with buster's gnutls version (3.6.7) with TLS 1.3, so I want to disable it (see also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987188 ).

With openssl, CURL_SSLVERSION_MAX_TLSv1_2 does restrict TLS <= 1.2 .

operating system

debian buster
Linux dc 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 GNU/Linux

@bagder bagder added the SSL/TLS label May 4, 2021
@bagder bagder self-assigned this May 4, 2021
bagder added a commit that referenced this issue May 4, 2021
Previously, settting only the max allowed TLS version, leaving the
minimum one at default, didn't actually set it and left it to default
(TLS 1.3) too!

As a bonus, this change also removes the dead code handling of SSLv3
since that version can't be set anymore (since eff614f).

Reported-by: Daniel Carpenter
Fixes #6998
@bagder bagder closed this in 781864b May 5, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

2 participants