I got the same result building from source revision 7645324 .
workaround
Since TLS 1.0 is the minimum version supported by this libcurl, if I instead write CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_2, libcurl will use TLS <= 1.2 .
background
When libcurl 7.74 was made available to debian buster through a backport, TLS 1.3 was also enabled (with gnutls) (because of #5223 ). Some sites don't seem to work with buster's gnutls version (3.6.7) with TLS 1.3, so I want to disable it (see also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987188 ).
With openssl, CURL_SSLVERSION_MAX_TLSv1_2 does restrict TLS <= 1.2 .
operating system
debian buster
Linux dc 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 GNU/Linux
The text was updated successfully, but these errors were encountered:
Previously, settting only the max allowed TLS version, leaving the
minimum one at default, didn't actually set it and left it to default
(TLS 1.3) too!
As a bonus, this change also removes the dead code handling of SSLv3
since that version can't be set anymore (since eff614f).
Reported-by: Daniel Carpenter
Fixes#6998
I did this
I'm using libcurl in a C application. I want to use a TLS version <= 1.2, so I specify
CURL_SSLVERSION_MAX_TLSv1_2
. Here's a minimal example:I expected the following
When I ran the program, I expected to see
SSL connection using TLS1.2
, but instead I seeSSL connection using TLS1.3
.curl/libcurl version
[curl -V output]
curl 7.74.0 (x86_64-pc-linux-gnu) libcurl/7.74.0 OpenSSL/1.1.1d zlib/1.2.11 brotli/1.0.7 libidn2/2.0.5 libpsl/0.20.2 (+libidn2/2.0.5) libssh2/1.8.0 nghttp2/1.36.0 librtmp/2.3
Release-Date: 2020-12-09
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets
I got the same result building from source revision 7645324 .
workaround
Since TLS 1.0 is the minimum version supported by this libcurl, if I instead write
CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_2
, libcurl will use TLS <= 1.2 .background
When libcurl 7.74 was made available to debian buster through a backport, TLS 1.3 was also enabled (with gnutls) (because of #5223 ). Some sites don't seem to work with buster's gnutls version (3.6.7) with TLS 1.3, so I want to disable it (see also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987188 ).
With openssl, CURL_SSLVERSION_MAX_TLSv1_2 does restrict TLS <= 1.2 .
operating system
debian buster
Linux dc 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 GNU/Linux
The text was updated successfully, but these errors were encountered: