Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added flags CURL_SSLVERSION_OR_UP_TO_* to CURLOPT_SSLVERSION #1166

Closed
wants to merge 25 commits into from
Closed

Added flags CURL_SSLVERSION_OR_UP_TO_* to CURLOPT_SSLVERSION #1166

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
21143bc
tls-max: Added flags CURL_SSLVERSION_OR_UP_TO_* to CURLOPT_SSLVERSION
Dec 13, 2016
03918ee
fix of SPACEBEFOREPAREN
Dec 17, 2016
8a5b3ab
added missing symbols in versions:
Dec 17, 2016
007fc8c
fix documentation and added curl.1
Dec 17, 2016
d90c799
fix of help: renamed up-to-tls-tlsv to up-to-tlsv
Dec 17, 2016
b48f5cb
refactoring tool curl: tls-max instead of up-to-tls*
Dec 18, 2016
c38fb2a
refactor: rename CURL_SSLVERSION_OR_UP_TO* to CURL_SSLVERSION_MAX*
Dec 19, 2016
dc572c9
refactoring: remove recursion from set_ssl_version_min_max
Dec 20, 2016
e4ae8ba
Added flags CURL_SSLVERSION_OR_UP_TO_* to CURLOPT_SSLVERSION
Dec 13, 2016
1521c82
Removing unnecessary sentences about minimum SSL versions
Jan 23, 2017
f43ce22
Renaming GET/SET_CURL_SSLVERSION to CURL_GET/SET_SSLVERSION
Jan 23, 2017
2526749
CURL_SSLVERSION_MAX_DEFAULT with own value.
Jan 23, 2017
6cd599d
Added recent documentation
Jan 23, 2017
352116f
Added missing symbols (symbols-in-versions)
Jan 24, 2017
f28e480
Fix of documentation
Jan 25, 2017
8d5756e
Removing docs/curl.1
Jan 26, 2017
f178c42
removed macro CURL_SET_SSLVERSION_MAX
Jan 27, 2017
a218844
CURL_GET_SSLVERSION, CURL_GET_SSLVERSION removed
Jan 27, 2017
fbdab0a
curl.h: assign CURL_SSLVERSION_MAX_* constants systematically
kdudka Feb 1, 2017
0523638
nss: simplify the code of SSL version mapping
kdudka Feb 1, 2017
0b7992f
simplify sets min, max of ssl version in ssl libraries
Feb 3, 2017
426d1cd
fix of shifts
Feb 3, 2017
9812598
fix of doc: added CURL_SSLVERSION_MAX_TLSv1_0
Feb 3, 2017
5a2477f
use first member to calc size of array
Feb 3, 2017
ff5bb77
fix of windows compilation
Feb 11, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
13 changes: 13 additions & 0 deletions docs/cmdline-opts/up-to-tls-default.d
View file
Open in desktop
@@ -0,0 +1,13 @@
Long: up-to-tls-default
Tags: Versions
Protocols: SSL
Added: 7.53.0
Mutexed: up-to-tlsv1.1 up-to-tlsv1.2 up-to-tlsv1.3
Requires: TLS
See-also: tlsv1.0 tlsv1.1
Help: Use TLSv1.0 or greater
---
Use TLS up to recommended TLS version.

It defines a range of supported TLS versions. The minimum must be defined by
tlsv1.0 or tlsv1.1 and the maximum is defined by this argument.
13 changes: 13 additions & 0 deletions docs/cmdline-opts/up-to-tlsv1.1.d
View file
Open in desktop
@@ -0,0 +1,13 @@
Long: up-to-tlsv1.1
Tags: Versions
Protocols: SSL
Added: 7.53.0
Mutexed: up-to-tls-default up-to-tlsv1.2 up-to-tlsv1.3
Requires: TLS
See-also: tlsv1.0
Help: Use TLSv1.0 or greater
---
Use TLS up to TLSv1.1.

It defines a range of supported TLS versions. The minimum must be defined by
tlsv1.0 and the maximum is defined by this argument.
13 changes: 13 additions & 0 deletions docs/cmdline-opts/up-to-tlsv1.2.d
View file
Open in desktop
@@ -0,0 +1,13 @@
Long: up-to-tlsv1.2
Tags: Versions
Protocols: SSL
Added: 7.53.0
Mutexed: up-to-tls-default up-to-tlsv1.1 up-to-tlsv1.3
Requires: TLS
See-also: tlsv1.0 tlsv1.1
Help: Use TLSv1.0 or greater
---
Use TLS up to TLSv1.2.

It defines a range of supported TLS versions. The minimum must be defined by
tlsv1.0 or tlsv1.1 and the maximum is defined by this argument.
14 changes: 14 additions & 0 deletions docs/cmdline-opts/up-to-tlsv1.3.d
View file
Open in desktop
@@ -0,0 +1,14 @@
Long: up-to-tlsv1.3
Tags: Versions
Protocols: SSL
Added: 7.53.0
Mutexed: up-to-tls-default up-to-tlsv1.1 up-to-tlsv1.2
Requires: TLS
See-also: tlsv1.0 tlsv1.1 tlsv1.2
Help: Use TLSv1.0 or greater
---
Use TLS up to TLSv1.3.

It defines a range of supported TLS versions. The minimum must be defined by
tlsv1.0 or tlsv1.1 or tlsv1.2 and the maximum is defined by this
argument.
2,726 changes: 2,726 additions & 0 deletions docs/curl.1
View file
Open in desktop

Large diffs are not rendered by default.

17 changes: 15 additions & 2 deletions docs/libcurl/opts/CURLOPT_SSLVERSION.3
View file
Open in desktop
Expand Up @@ -50,6 +50,18 @@ TLSv1.1 (Added in 7.34.0)
TLSv1.2 (Added in 7.34.0)
.IP CURL_SSLVERSION_TLSv1_3
TLSv1.3 (Added in 7.52.0)
.IP CURL_SSLVERSION_OR_UP_TO_DEFAULT
Use as flag with CURL_SSLVERSION_TLSv1_x and behavior is same as
CURL_SSLVERSION_OR_UP_TO_TLSv1_2.
.IP CURL_SSLVERSION_OR_UP_TO_TLSv1_1
Use this flag with CURL_SSLVERSION_TLSv1_0 and it means
TLSv1.0-TLSv1.1 (Added in 7.53.0)
.IP CURL_SSLVERSION_OR_UP_TO_TLSv1_2
Use this flag with CURL_SSLVERSION_TLSv1_0/CURL_SSLVERSION_TLSv1_1
and it is means TLSv1.x-TLSv1.2 (Added in 7.53.0)
.IP CURL_SSLVERSION_OR_UP_TO_TLSv1_3
Use this flag with CURL_SSLVERSION_TLSv1_0/CURL_SSLVERSION_TLSv1_1/
CURL_SSLVERSION_TLSv1_2 and it is means TLSv1.x-TLSv1.3 (Added in 7.53.0)
.RE
.SH DEFAULT
CURL_SSLVERSION_DEFAULT
Expand All @@ -61,8 +73,9 @@ CURL *curl = curl_easy_init();
if(curl) {
curl_easy_setopt(curl, CURLOPT_URL, "https://example.com");

/* ask libcurl to use TLS version 1.0 or later */
curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
/* ask libcurl to use TLS version 1.1 or later */
curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1.1 |
CURL_SSLVERSION_OR_UP_TO_DEFAULT);

/* Perform the request */
curl_easy_perform(curl);
Expand Down
7 changes: 7 additions & 0 deletions docs/libcurl/symbols-in-versions
View file
Open in desktop
Expand Up @@ -798,6 +798,13 @@ CURL_SSLVERSION_TLSv1_0 7.34.0
CURL_SSLVERSION_TLSv1_1 7.34.0
CURL_SSLVERSION_TLSv1_2 7.34.0
CURL_SSLVERSION_TLSv1_3 7.52.0
CURL_SSLVERSION_OR_UP_TO_NONE 7.53.0
CURL_SSLVERSION_OR_UP_TO_DEFAULT 7.53.0
CURL_SSLVERSION_OR_UP_TO_FIRST 7.53.0
CURL_SSLVERSION_OR_UP_TO_TLSv1_0 7.53.0
CURL_SSLVERSION_OR_UP_TO_TLSv1_1 7.53.0
CURL_SSLVERSION_OR_UP_TO_TLSv1_2 7.53.0
CURL_SSLVERSION_OR_UP_TO_TLSv1_3 7.53.0
CURL_TIMECOND_IFMODSINCE 7.9.7
CURL_TIMECOND_IFUNMODSINCE 7.9.7
CURL_TIMECOND_LASTMOD 7.9.7
Expand Down
17 changes: 17 additions & 0 deletions include/curl/curl.h
View file
Open in desktop
Expand Up @@ -1871,6 +1871,23 @@ enum CURL_NETRC_OPTION {
CURL_NETRC_LAST
};

#define GET_CURL_SSLVERSION(x) (x & 0xffff)
#define GET_CURL_SSLVERSION_OR_UP_TO(x) (x & 0xffff0000)
#define SET_CURL_SSLVERSION_OR_UP_TO(x, val) \
CURL_SSLVERSION_OR_UP_TO_##x = (val << 16)

enum {
SET_CURL_SSLVERSION_OR_UP_TO(NONE, 0),
SET_CURL_SSLVERSION_OR_UP_TO(FIRST, 1),
SET_CURL_SSLVERSION_OR_UP_TO(TLSv1_0, 1),
SET_CURL_SSLVERSION_OR_UP_TO(TLSv1_1, 2),
SET_CURL_SSLVERSION_OR_UP_TO(TLSv1_2, 3),
SET_CURL_SSLVERSION_OR_UP_TO(TLSv1_3, 4),

SET_CURL_SSLVERSION_OR_UP_TO(LAST, 5), /* never use, keep last */
SET_CURL_SSLVERSION_OR_UP_TO(DEFAULT, 3) /* = ..._OR_UP_TO_TLSv1_2 */
};

enum {
CURL_SSLVERSION_DEFAULT,
CURL_SSLVERSION_TLSv1, /* TLS 1.x */
Expand Down
4 changes: 3 additions & 1 deletion lib/url.c
View file
Open in desktop
Expand Up @@ -922,7 +922,9 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option,
* implementations are lame.
*/
#ifdef USE_SSL
data->set.ssl.primary.version = va_arg(param, long);
arg = va_arg(param, long);
data->set.ssl.primary.version = GET_CURL_SSLVERSION(arg);
data->set.ssl.primary.version_up_to = GET_CURL_SSLVERSION_OR_UP_TO(arg);
#else
result = CURLE_UNKNOWN_OPTION;
#endif
Expand Down
1 change: 1 addition & 0 deletions lib/urldata.h
View file
Open in desktop
Expand Up @@ -348,6 +348,7 @@ struct ssl_connect_data {

struct ssl_primary_config {
long version; /* what version the client wants to use */
long version_up_to; /* max supported version the client wants to use*/
bool verifypeer; /* set TRUE if this is desired */
bool verifyhost; /* set TRUE if CN/SAN must match hostname */
bool verifystatus; /* set TRUE if certificate status must be checked */
Expand Down
6 changes: 6 additions & 0 deletions lib/vtls/axtls.c
View file
Open in desktop
Expand Up @@ -156,6 +156,12 @@ static CURLcode connect_prep(struct connectdata *conn, int sockindex)
same connection */
return CURLE_OK;

if(SSL_CONN_CONFIG(version_up_to) != CURL_SSLVERSION_OR_UP_TO_NONE) {
failf(data, "axtls does not support CURL_SSLVERSION_OR_UP_TO");
return CURLE_SSL_CONNECT_ERROR;
}


/* axTLS only supports TLSv1 */
/* check to see if we've been told to use an explicit SSL/TLS version */
switch(SSL_CONN_CONFIG(version)) {
Expand Down
5 changes: 5 additions & 0 deletions lib/vtls/cyassl.c
View file
Open in desktop
Expand Up @@ -149,6 +149,11 @@ cyassl_connect_step1(struct connectdata *conn,
if(conssl->state == ssl_connection_complete)
return CURLE_OK;

if(SSL_CONN_CONFIG(version_up_to) != CURL_SSLVERSION_OR_UP_TO_NONE) {
failf(data, "CyaSSL does not support to set maximum SSL/TLS version");
return CURLE_SSL_CONNECT_ERROR;
}

/* check to see if we've been told to use an explicit SSL/TLS version */
switch(SSL_CONN_CONFIG(version)) {
case CURL_SSLVERSION_DEFAULT:
Expand Down
167 changes: 142 additions & 25 deletions lib/vtls/darwinssl.c
View file
Open in desktop
Expand Up @@ -1042,6 +1042,129 @@ CF_INLINE bool is_file(const char *filename)
return false;
}

static CURLcode
set_ssl_version_up_to(struct connectdata *conn, int sockindex,
long ssl_version, long ssl_version_up_to)
{
struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];

switch(ssl_version_up_to) {
case CURL_SSLVERSION_OR_UP_TO_NONE:
switch(ssl_version) {
case CURL_SSLVERSION_TLSv1_0:
return set_ssl_version_up_to(conn, sockindex, ssl_version,
CURL_SSLVERSION_OR_UP_TO_TLSv1_0);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do you recursively call the function? Would not it be enough to (re)assign ssl_version_up_to and continue the execution?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree. I will rewrite it as you suggest.

case CURL_SSLVERSION_TLSv1_1:
return set_ssl_version_up_to(conn, sockindex, ssl_version,
CURL_SSLVERSION_OR_UP_TO_TLSv1_1);
case CURL_SSLVERSION_TLSv1_2:
return set_ssl_version_up_to(conn, sockindex, ssl_version,
CURL_SSLVERSION_OR_UP_TO_TLSv1_2);
case CURL_SSLVERSION_TLSv1_3:
return set_ssl_version_up_to(conn, sockindex, ssl_version,
CURL_SSLVERSION_OR_UP_TO_TLSv1_3);
}
break;
}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should not we handle CURL_SSLVERSION_MAX_DEFAULT at this point?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed

#if CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS
if(SSLSetProtocolVersionMax != NULL) {
SSLProtocol min_ssl_protocol = kTLSProtocol1;
SSLProtocol max_ssl_protocol = kTLSProtocol1;
switch(ssl_version) {
case CURL_SSLVERSION_TLSv1_0:
min_ssl_protocol = kTLSProtocol1;
break;
case CURL_SSLVERSION_TLSv1_1:
min_ssl_protocol = kTLSProtocol11;
break;
case CURL_SSLVERSION_TLSv1_1:
min_ssl_protocol = kTLSProtocol12;
break;
case CURL_SSLVERSION_TLSv1_3:
failf(data, "DarwinSSL: TLS 1.3 is not yet supported");
return CURLE_SSL_CONNECT_ERROR;
}

switch(ssl_version_up_to) {
case CURL_SSLVERSION_OR_UP_TO_TLSv1_0:
max_ssl_protocol = kTLSProtocol1;
break;
case CURL_SSLVERSION_OR_UP_TO_TLSv1_1:
max_ssl_protocol = kTLSProtocol11;
break;
case CURL_SSLVERSION_OR_UP_TO_TLSv1_2:
case CURL_SSLVERSION_OR_UP_TO_TLSv1_3:
max_ssl_protocol = kTLSProtocol12;
break;
}

(void)SSLSetProtocolVersionMin(connssl->ssl_ctx, min_ssl_protocol);
(void)SSLSetProtocolVersionMax(connssl->ssl_ctx, max_ssl_protocol);
}
else {
#if CURL_SUPPORT_MAC_10_8
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
kSSLProtocolAll,
false);
switch(conn->ssl_config.version) {
case CURL_SSLVERSION_DEFAULT:
case CURL_SSLVERSION_TLSv1:
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
kTLSProtocol1,
true);
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
kTLSProtocol11,
true);
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
kTLSProtocol12,
true);
break;
case CURL_SSLVERSION_TLSv1_0:
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
kTLSProtocol1,
true);
switch(conn->ssl_config.version_up_to) {
case CURL_SSLVERSION_OR_UP_TO_TLSv1_3:
case CURL_SSLVERSION_OR_UP_TO_TLSv1_2:
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
kTLSProtocol12,
true);
case CURL_SSLVERSION_OR_UP_TO_TLSv1_1:
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
kTLSProtocol11,
true);
}
break;
case CURL_SSLVERSION_TLSv1_1:
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
kTLSProtocol11,
true);
switch(conn->ssl_config.version_up_to) {
case CURL_SSLVERSION_OR_UP_TO_TLSv1_3:
case CURL_SSLVERSION_OR_UP_TO_TLSv1_2:
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
kTLSProtocol12,
true);
}
break;
case CURL_SSLVERSION_TLSv1_2:
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
kTLSProtocol12,
true);
break;
case CURL_SSLVERSION_TLSv1_3:
failf(data, "DarwinSSL: TLS 1.3 is not yet supported");
return CURLE_SSL_CONNECT_ERROR;
}
}
#endif /* CURL_SUPPORT_MAC_10_8 */
#endif /* CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS */
return CURLE_OK;
}


static CURLcode darwinssl_connect_step1(struct connectdata *conn,
int sockindex)
{
Expand Down Expand Up @@ -1111,20 +1234,16 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
(void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol12);
break;
case CURL_SSLVERSION_TLSv1_0:
(void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol1);
(void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol1);
break;
case CURL_SSLVERSION_TLSv1_1:
(void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol11);
(void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol11);
break;
case CURL_SSLVERSION_TLSv1_2:
(void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol12);
(void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol12);
break;
case CURL_SSLVERSION_TLSv1_3:
failf(data, "DarwinSSL: TLS 1.3 is not yet supported");
return CURLE_SSL_CONNECT_ERROR;
{
CURLcode result = set_ssl_version_up_to(conn, sockindex,
conn->ssl_config.version,
conn->ssl_config.version_up_to);
if(result != CURLE_OK)
return result;
} break;
case CURL_SSLVERSION_SSLv3:
err = SSLSetProtocolVersionMin(connssl->ssl_ctx, kSSLProtocol3);
if(err != noErr) {
Expand Down Expand Up @@ -1165,23 +1284,16 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
true);
break;
case CURL_SSLVERSION_TLSv1_0:
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
kTLSProtocol1,
true);
break;
case CURL_SSLVERSION_TLSv1_1:
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
kTLSProtocol11,
true);
break;
case CURL_SSLVERSION_TLSv1_2:
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
kTLSProtocol12,
true);
break;
case CURL_SSLVERSION_TLSv1_3:
failf(data, "DarwinSSL: TLS 1.3 is not yet supported");
return CURLE_SSL_CONNECT_ERROR;
{
CURLcode result = set_ssl_version_up_to(conn, sockindex,
conn->ssl_config.version,
conn->ssl_config.version_up_to);
if(result != CURLE_OK)
return result;
} break;
case CURL_SSLVERSION_SSLv3:
err = SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
kSSLProtocol3,
Expand All @@ -1207,6 +1319,11 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
#endif /* CURL_SUPPORT_MAC_10_8 */
}
#else
if(conn->ssl_config.version_up_to != CURL_SSLVERSION_OR_UP_TO_NONE) {
failf(data, "Your version of the OS does not support to set maximum"
" SSL/TLS version");
return CURLE_SSL_CONNECT_ERROR;
}
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, kSSLProtocolAll, false);
switch(conn->ssl_config.version) {
case CURL_SSLVERSION_DEFAULT:
Expand Down