New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added flags CURL_SSLVERSION_OR_UP_TO_* to CURLOPT_SSLVERSION #1166
Changes from 21 commits
21143bc
03918ee
8a5b3ab
007fc8c
d90c799
b48f5cb
c38fb2a
dc572c9
e4ae8ba
1521c82
f43ce22
2526749
6cd599d
352116f
f28e480
8d5756e
f178c42
a218844
fbdab0a
0523638
0b7992f
426d1cd
9812598
5a2477f
ff5bb77
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
Long: tls-max | ||
Arg: <VERSION> | ||
Tags: Versions | ||
Protocols: SSL | ||
Added: 7.53.0 | ||
Requires: TLS | ||
See-also: tlsv1.0 tlsv1.1 tlsv1.2 | ||
Help: Use TLSv1.0 or greater | ||
--- | ||
VERSION defines maximum supported TLS version. A minimum is defined | ||
by arguments tlsv1.0 or tlsv1.1 or tlsv1.2. | ||
|
||
.RS | ||
.IP "default" | ||
Use up to recommended TLS version. | ||
.IP "1.0" | ||
Use up to TLSv1.0. | ||
.IP "1.1" | ||
Use up to TLSv1.1. | ||
.IP "1.2" | ||
Use up to TLSv1.2. | ||
.IP "1.3" | ||
Use up to TLSv1.3. | ||
.RE | ||
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -46,6 +46,20 @@ TLSv1.1 | |
TLSv1.2 | ||
.IP CURL_SSLVERSION_TLSv1_3 | ||
TLSv1.3 | ||
.IP CURL_SSLVERSION_MAX_DEFAULT | ||
The flag defines maximum supported TLS version as TLSv1.2 or default | ||
value from SSL library. Only library NSS currently allows to get | ||
maximum supported TLS version. | ||
(Added in 7.53.0) | ||
.IP CURL_SSLVERSION_MAX_TLSv1_1 | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Documentation for There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Fixed |
||
The flag defines maximum supported TLS version as TLSv1.1. | ||
(Added in 7.53.0) | ||
.IP CURL_SSLVERSION_MAX_TLSv1_2 | ||
The flag defines maximum supported TLS version as TLSv1.2. | ||
(Added in 7.53.0) | ||
.IP CURL_SSLVERSION_MAX_TLSv1_3 | ||
The flag defines maximum supported TLS version as TLSv1.3. | ||
(Added in 7.53.0) | ||
.RE | ||
.SH DEFAULT | ||
CURL_SSLVERSION_DEFAULT | ||
|
@@ -58,7 +72,8 @@ if(curl) { | |
curl_easy_setopt(curl, CURLOPT_URL, "https://example.com"); | ||
|
||
/* ask libcurl to use TLS version 1.0 or later */ | ||
curl_easy_setopt(curl, CURLOPT_PROXY_SSLVERSION, CURL_SSLVERSION_TLSv1); | ||
curl_easy_setopt(curl, CURLOPT_PROXY_SSLVERSION, CURL_SSLVERSION_TLSv1_1 | | ||
CURL_SSLVERSION_MAX_DEFAULT); | ||
|
||
/* Perform the request */ | ||
curl_easy_perform(curl); | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -50,6 +50,20 @@ TLSv1.1 (Added in 7.34.0) | |
TLSv1.2 (Added in 7.34.0) | ||
.IP CURL_SSLVERSION_TLSv1_3 | ||
TLSv1.3 (Added in 7.52.0) | ||
.IP CURL_SSLVERSION_MAX_DEFAULT | ||
The flag defines maximum supported TLS version as TLSv1.2 or default | ||
value from SSL library. Only library NSS currently allows to get | ||
maximum supported TLS version. | ||
(Added in 7.53.0) | ||
.IP CURL_SSLVERSION_MAX_TLSv1_1 | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Same here. Documentation for There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Fixed |
||
The flag defines maximum supported TLS version as TLSv1.1. | ||
(Added in 7.53.0) | ||
.IP CURL_SSLVERSION_MAX_TLSv1_2 | ||
The flag defines maximum supported TLS version as TLSv1.2. | ||
(Added in 7.53.0) | ||
.IP CURL_SSLVERSION_MAX_TLSv1_3 | ||
The flag defines maximum supported TLS version as TLSv1.3. | ||
(Added in 7.53.0) | ||
.RE | ||
.SH DEFAULT | ||
CURL_SSLVERSION_DEFAULT | ||
|
@@ -61,8 +75,9 @@ CURL *curl = curl_easy_init(); | |
if(curl) { | ||
curl_easy_setopt(curl, CURLOPT_URL, "https://example.com"); | ||
|
||
/* ask libcurl to use TLS version 1.0 or later */ | ||
curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1); | ||
/* ask libcurl to use TLS version 1.1 or later */ | ||
curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1.1 | | ||
CURL_SSLVERSION_MAX_DEFAULT); | ||
|
||
/* Perform the request */ | ||
curl_easy_perform(curl); | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -1042,6 +1042,101 @@ CF_INLINE bool is_file(const char *filename) | |
return false; | ||
} | ||
|
||
#if CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS | ||
static CURLcode darwinssl_version_from_curl(long *darwinver, long version) | ||
{ | ||
switch(ssl_version) { | ||
case CURL_SSLVERSION_TLSv1_0: | ||
*darwinver = kTLSProtocol1; | ||
return CURLE_OK; | ||
case CURL_SSLVERSION_TLSv1_1: | ||
*darwinver = kTLSProtocol11; | ||
return CURLE_OK; | ||
case CURL_SSLVERSION_TLSv1_2: | ||
*darwinver = kTLSProtocol12; | ||
return CURLE_OK; | ||
case CURL_SSLVERSION_TLSv1_3: | ||
break; | ||
} | ||
return CURLE_SSL_CONNECT_ERROR; | ||
} | ||
#endif | ||
|
||
static CURLcode | ||
set_ssl_version_min_max(struct connectdata *conn, int sockindex) | ||
{ | ||
struct Curl_easy *data = conn->data; | ||
struct ssl_connect_data *connssl = &conn->ssl[sockindex]; | ||
long ssl_version = SSL_CONN_CONFIG(version); | ||
long ssl_version_max = SSL_CONN_CONFIG(version_max) >> 16; | ||
switch(ssl_version) { | ||
case CURL_SSLVERSION_DEFAULT: | ||
case CURL_SSLVERSION_TLSv1: | ||
ssl_version = CURL_SSLVERSION_TLSv1_0; | ||
ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_2; | ||
break; | ||
} | ||
if(ssl_version_max == CURL_SSLVERSION_MAX_NONE) { | ||
ssl_version_max = ssl_version; | ||
} | ||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Should not we handle There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Fixed |
||
#if CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS | ||
if(SSLSetProtocolVersionMax != NULL) { | ||
SSLProtocol darwin_ver_min = kTLSProtocol1; | ||
SSLProtocol darwin_ver_max = kTLSProtocol1; | ||
CURLcode result = darwinssl_version_from_curl(&darwin_ver_min, | ||
ssl_version); | ||
if(result) { | ||
failf(data, "unsupported min version passed via CURLOPT_SSLVERSION"); | ||
return result; | ||
} | ||
result = darwinssl_version_from_curl(&darwin_ver_max, ssl_version_max); | ||
if(result) { | ||
failf(data, "unsupported max version passed via CURLOPT_SSLVERSION"); | ||
return result; | ||
} | ||
|
||
(void)SSLSetProtocolVersionMin(connssl->ssl_ctx, darwin_ver_min); | ||
(void)SSLSetProtocolVersionMax(connssl->ssl_ctx, darwin_ver_max); | ||
return result; | ||
} | ||
else { | ||
#if CURL_SUPPORT_MAC_10_8 | ||
long i = ssl_version; | ||
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, | ||
kSSLProtocolAll, | ||
false); | ||
for(;i <= (ssl_version_max >> 16);i++) { | ||
switch(i) { | ||
case CURL_SSLVERSION_TLSv1_0: | ||
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, | ||
kTLSProtocol1, | ||
true); | ||
break; | ||
case CURL_SSLVERSION_TLSv1_1: | ||
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, | ||
kTLSProtocol11, | ||
true); | ||
break; | ||
case CURL_SSLVERSION_TLSv1_2: | ||
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, | ||
kTLSProtocol12, | ||
true); | ||
break; | ||
case CURL_SSLVERSION_TLSv1_3: | ||
failf(data, "DarwinSSL: TLS 1.3 is not yet supported"); | ||
return CURLE_SSL_CONNECT_ERROR; | ||
} | ||
} | ||
return CURLE_OK; | ||
#endif /* CURL_SUPPORT_MAC_10_8 */ | ||
} | ||
#endif /* CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS */ | ||
failf(data, "DarwinSSL: cannot set SSL protocol"); | ||
return CURLE_SSL_CONNECT_ERROR; | ||
} | ||
|
||
|
||
static CURLcode darwinssl_connect_step1(struct connectdata *conn, | ||
int sockindex) | ||
{ | ||
|
@@ -1111,20 +1206,14 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, | |
(void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol12); | ||
break; | ||
case CURL_SSLVERSION_TLSv1_0: | ||
(void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol1); | ||
(void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol1); | ||
break; | ||
case CURL_SSLVERSION_TLSv1_1: | ||
(void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol11); | ||
(void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol11); | ||
break; | ||
case CURL_SSLVERSION_TLSv1_2: | ||
(void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol12); | ||
(void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol12); | ||
break; | ||
case CURL_SSLVERSION_TLSv1_3: | ||
failf(data, "DarwinSSL: TLS 1.3 is not yet supported"); | ||
return CURLE_SSL_CONNECT_ERROR; | ||
{ | ||
CURLcode result = set_ssl_version_min_max(conn, sockindex); | ||
if(result != CURLE_OK) | ||
return result; | ||
} break; | ||
case CURL_SSLVERSION_SSLv3: | ||
err = SSLSetProtocolVersionMin(connssl->ssl_ctx, kSSLProtocol3); | ||
if(err != noErr) { | ||
|
@@ -1165,23 +1254,14 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, | |
true); | ||
break; | ||
case CURL_SSLVERSION_TLSv1_0: | ||
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, | ||
kTLSProtocol1, | ||
true); | ||
break; | ||
case CURL_SSLVERSION_TLSv1_1: | ||
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, | ||
kTLSProtocol11, | ||
true); | ||
break; | ||
case CURL_SSLVERSION_TLSv1_2: | ||
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, | ||
kTLSProtocol12, | ||
true); | ||
break; | ||
case CURL_SSLVERSION_TLSv1_3: | ||
failf(data, "DarwinSSL: TLS 1.3 is not yet supported"); | ||
return CURLE_SSL_CONNECT_ERROR; | ||
{ | ||
CURLcode result = set_ssl_version_min_max(conn, sockindex); | ||
if(result != CURLE_OK) | ||
return result; | ||
} break; | ||
case CURL_SSLVERSION_SSLv3: | ||
err = SSLSetProtocolVersionEnabled(connssl->ssl_ctx, | ||
kSSLProtocol3, | ||
|
@@ -1207,6 +1287,11 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, | |
#endif /* CURL_SUPPORT_MAC_10_8 */ | ||
} | ||
#else | ||
if(conn->ssl_config.version_max != CURL_SSLVERSION_MAX_NONE) { | ||
failf(data, "Your version of the OS does not support to set maximum" | ||
" SSL/TLS version"); | ||
return CURLE_SSL_CONNECT_ERROR; | ||
} | ||
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, kSSLProtocolAll, false); | ||
switch(conn->ssl_config.version) { | ||
case CURL_SSLVERSION_DEFAULT: | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do I understand it correctly that minimum and maximum cannot be set to the same value? Why?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes it is supported. But it is wired to tls-max with tlsvX.Y when you want to just tlsvX.Y. If you wish I can add this option to documentation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would drop all the "The supported minimum is ..." sentences from the particular options. The statement above says it clearly enough in a generic way. The fact that the minimum enabled TLS version cannot be higher than the maximum enabled TLS version is obvious. Also the space before comma appears disruptive to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree - removed sentences.