New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added flags CURL_SSLVERSION_OR_UP_TO_* to CURLOPT_SSLVERSION #1166
Changes from 14 commits
21143bc
03918ee
8a5b3ab
007fc8c
d90c799
b48f5cb
c38fb2a
dc572c9
e4ae8ba
1521c82
f43ce22
2526749
6cd599d
352116f
f28e480
8d5756e
f178c42
a218844
fbdab0a
0523638
0b7992f
426d1cd
9812598
5a2477f
ff5bb77
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
Long: tls-max | ||
Arg: <VERSION> | ||
Tags: Versions | ||
Protocols: SSL | ||
Added: 7.53.0 | ||
Requires: TLS | ||
See-also: tlsv1.0 tlsv1.1 tlsv1.2 | ||
Help: Use TLSv1.0 or greater | ||
--- | ||
Defines a range of supported TLS versions up to VERSION. A minimum is defined | ||
by arguments tlsv1.0 or tlsv1.1 or tlsv1.2. | ||
|
||
.RS | ||
.IP "default" | ||
Use up to recommended TLS version. | ||
.IP "1.0" | ||
Use up to TLSv1.0. | ||
.IP "1.1" | ||
Use up to TLSv1.1. | ||
.IP "1.2" | ||
Use up to TLSv1.2. | ||
.IP "1.3" | ||
Use up to TLSv1.3. | ||
.RE | ||
Large diffs are not rendered by default.
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -50,6 +50,19 @@ TLSv1.1 (Added in 7.34.0) | |
TLSv1.2 (Added in 7.34.0) | ||
.IP CURL_SSLVERSION_TLSv1_3 | ||
TLSv1.3 (Added in 7.52.0) | ||
.IP CURL_SSLVERSION_MAX_DEFAULT | ||
Use a flag with CURL_SSLVERSION_TLSv1_x and it's set maximum by SSL library | ||
or use CURL_SSLVERSION_MAX_TLSv1_2. Only library NSS currently allows | ||
to get TLS versions enabled by default. | ||
.IP CURL_SSLVERSION_MAX_TLSv1_1 | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Same here. Documentation for There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Fixed |
||
Use a flag with CURL_SSLVERSION_TLSv1_0 and it means | ||
TLSv1.0-TLSv1.1 (Added in 7.53.0) | ||
.IP CURL_SSLVERSION_MAX_TLSv1_2 | ||
Use a flag with CURL_SSLVERSION_TLSv1_0/CURL_SSLVERSION_TLSv1_1 | ||
and it is means TLSv1.x-TLSv1.2 (Added in 7.53.0) | ||
.IP CURL_SSLVERSION_MAX_TLSv1_3 | ||
Use a flag with CURL_SSLVERSION_TLSv1_0/CURL_SSLVERSION_TLSv1_1/ | ||
CURL_SSLVERSION_TLSv1_2 and it is means TLSv1.x-TLSv1.3 (Added in 7.53.0) | ||
.RE | ||
.SH DEFAULT | ||
CURL_SSLVERSION_DEFAULT | ||
|
@@ -61,8 +74,9 @@ CURL *curl = curl_easy_init(); | |
if(curl) { | ||
curl_easy_setopt(curl, CURLOPT_URL, "https://example.com"); | ||
|
||
/* ask libcurl to use TLS version 1.0 or later */ | ||
curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1); | ||
/* ask libcurl to use TLS version 1.1 or later */ | ||
curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1.1 | | ||
CURL_SSLVERSION_MAX_DEFAULT); | ||
|
||
/* Perform the request */ | ||
curl_easy_perform(curl); | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -709,6 +709,8 @@ CURL_FORMADD_NULL 7.9.8 | |
CURL_FORMADD_OK 7.9.8 | ||
CURL_FORMADD_OPTION_TWICE 7.9.8 | ||
CURL_FORMADD_UNKNOWN_OPTION 7.9.8 | ||
CURL_GET_SSLVERSION 7.53.0 | ||
CURL_GET_SSLVERSION_MAX 7.53.0 | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I do not think these helper defines should be mentioned in symbols-in-versions. They are not supposed to be used externally. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. When i remove it I have issue with test 1119:
And don't find any suffix word for ignore them in a script tests/symbol-scan.pl. Can I add suffix word "_PRIVATE" or "_HELPER" to the script ? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If they're not supposed to be used externally, then they shouldn't be in the public header, right? If they are in the public header, they should be in |
||
CURL_GLOBAL_ACK_EINTR 7.30.0 | ||
CURL_GLOBAL_ALL 7.8 | ||
CURL_GLOBAL_DEFAULT 7.8 | ||
|
@@ -784,6 +786,7 @@ CURL_RTSPREQ_TEARDOWN 7.20.0 | |
CURL_SEEKFUNC_CANTSEEK 7.19.5 | ||
CURL_SEEKFUNC_FAIL 7.19.5 | ||
CURL_SEEKFUNC_OK 7.19.5 | ||
CURL_SET_SSLVERSION_MAX 7.53.0 | ||
CURL_SOCKET_BAD 7.14.0 | ||
CURL_SOCKET_TIMEOUT 7.14.0 | ||
CURL_SOCKOPT_ALREADY_CONNECTED 7.21.5 | ||
|
@@ -798,6 +801,13 @@ CURL_SSLVERSION_TLSv1_0 7.34.0 | |
CURL_SSLVERSION_TLSv1_1 7.34.0 | ||
CURL_SSLVERSION_TLSv1_2 7.34.0 | ||
CURL_SSLVERSION_TLSv1_3 7.52.0 | ||
CURL_SSLVERSION_MAX_NONE 7.53.0 | ||
CURL_SSLVERSION_MAX_DEFAULT 7.53.0 | ||
CURL_SSLVERSION_MAX_FIRST 7.53.0 | ||
CURL_SSLVERSION_MAX_TLSv1_0 7.53.0 | ||
CURL_SSLVERSION_MAX_TLSv1_1 7.53.0 | ||
CURL_SSLVERSION_MAX_TLSv1_2 7.53.0 | ||
CURL_SSLVERSION_MAX_TLSv1_3 7.53.0 | ||
CURL_TIMECOND_IFMODSINCE 7.9.7 | ||
CURL_TIMECOND_IFUNMODSINCE 7.9.7 | ||
CURL_TIMECOND_LASTMOD 7.9.7 | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -1871,6 +1871,23 @@ enum CURL_NETRC_OPTION { | |
CURL_NETRC_LAST | ||
}; | ||
|
||
#define CURL_GET_SSLVERSION(x) (x & 0xffff) | ||
#define CURL_GET_SSLVERSION_MAX(x) (x & 0xffff0000) | ||
#define CURL_SET_SSLVERSION_MAX(x, val) \ | ||
CURL_SSLVERSION_MAX_##x = (val << 16) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. You are changing a public header file. All the defines you introduce need to start with the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Fixed |
||
|
||
enum { | ||
CURL_SET_SSLVERSION_MAX(NONE, 0), | ||
CURL_SET_SSLVERSION_MAX(FIRST, 1), | ||
CURL_SET_SSLVERSION_MAX(DEFAULT, 1), | ||
CURL_SET_SSLVERSION_MAX(TLSv1_0, 2), | ||
CURL_SET_SSLVERSION_MAX(TLSv1_1, 3), | ||
CURL_SET_SSLVERSION_MAX(TLSv1_2, 4), | ||
CURL_SET_SSLVERSION_MAX(TLSv1_3, 5), | ||
|
||
CURL_SET_SSLVERSION_MAX(LAST, 6), /* never use, keep last */ | ||
}; | ||
|
||
enum { | ||
CURL_SSLVERSION_DEFAULT, | ||
CURL_SSLVERSION_TLSv1, /* TLS 1.x */ | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -1042,6 +1042,115 @@ CF_INLINE bool is_file(const char *filename) | |
return false; | ||
} | ||
|
||
static CURLcode | ||
set_ssl_version_min_max(struct connectdata *conn, int sockindex) | ||
{ | ||
struct Curl_easy *data = conn->data; | ||
struct ssl_connect_data *connssl = &conn->ssl[sockindex]; | ||
long ssl_version = SSL_CONN_CONFIG(version); | ||
long ssl_version_max = Curl_ssl_retrieve_version_max(ssl_version, | ||
SSL_CONN_CONFIG(version_max)); | ||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Should not we handle There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Fixed |
||
#if CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS | ||
if(SSLSetProtocolVersionMax != NULL) { | ||
SSLProtocol min_ssl_protocol = kTLSProtocol1; | ||
SSLProtocol max_ssl_protocol = kTLSProtocol1; | ||
switch(ssl_version) { | ||
case CURL_SSLVERSION_TLSv1_0: | ||
min_ssl_protocol = kTLSProtocol1; | ||
break; | ||
case CURL_SSLVERSION_TLSv1_1: | ||
min_ssl_protocol = kTLSProtocol11; | ||
break; | ||
case CURL_SSLVERSION_TLSv1_2: | ||
min_ssl_protocol = kTLSProtocol12; | ||
break; | ||
case CURL_SSLVERSION_TLSv1_3: | ||
failf(data, "DarwinSSL: TLS 1.3 is not yet supported"); | ||
return CURLE_SSL_CONNECT_ERROR; | ||
} | ||
|
||
switch(ssl_version_max) { | ||
case CURL_SSLVERSION_MAX_TLSv1_0: | ||
max_ssl_protocol = kTLSProtocol1; | ||
break; | ||
case CURL_SSLVERSION_MAX_TLSv1_1: | ||
max_ssl_protocol = kTLSProtocol11; | ||
break; | ||
case CURL_SSLVERSION_MAX_DEFAULT: | ||
case CURL_SSLVERSION_MAX_TLSv1_2: | ||
case CURL_SSLVERSION_MAX_TLSv1_3: | ||
max_ssl_protocol = kTLSProtocol12; | ||
break; | ||
} | ||
|
||
(void)SSLSetProtocolVersionMin(connssl->ssl_ctx, min_ssl_protocol); | ||
(void)SSLSetProtocolVersionMax(connssl->ssl_ctx, max_ssl_protocol); | ||
} | ||
else { | ||
#if CURL_SUPPORT_MAC_10_8 | ||
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, | ||
kSSLProtocolAll, | ||
false); | ||
switch(conn->ssl_config.version) { | ||
case CURL_SSLVERSION_DEFAULT: | ||
case CURL_SSLVERSION_TLSv1: | ||
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, | ||
kTLSProtocol1, | ||
true); | ||
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, | ||
kTLSProtocol11, | ||
true); | ||
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, | ||
kTLSProtocol12, | ||
true); | ||
break; | ||
case CURL_SSLVERSION_TLSv1_0: | ||
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, | ||
kTLSProtocol1, | ||
true); | ||
switch(conn->ssl_config.version_max) { | ||
case CURL_SSLVERSION_MAX_TLSv1_3: | ||
case CURL_SSLVERSION_MAX_TLSv1_2: | ||
case CURL_SSLVERSION_MAX_DEFAULT: | ||
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, | ||
kTLSProtocol12, | ||
true); | ||
case CURL_SSLVERSION_MAX_TLSv1_1: | ||
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, | ||
kTLSProtocol11, | ||
true); | ||
} | ||
break; | ||
case CURL_SSLVERSION_TLSv1_1: | ||
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, | ||
kTLSProtocol11, | ||
true); | ||
switch(conn->ssl_config.version_max) { | ||
case CURL_SSLVERSION_MAX_TLSv1_3: | ||
case CURL_SSLVERSION_MAX_TLSv1_2: | ||
case CURL_SSLVERSION_MAX_DEFAULT: | ||
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, | ||
kTLSProtocol12, | ||
true); | ||
} | ||
break; | ||
case CURL_SSLVERSION_TLSv1_2: | ||
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, | ||
kTLSProtocol12, | ||
true); | ||
break; | ||
case CURL_SSLVERSION_TLSv1_3: | ||
failf(data, "DarwinSSL: TLS 1.3 is not yet supported"); | ||
return CURLE_SSL_CONNECT_ERROR; | ||
} | ||
} | ||
#endif /* CURL_SUPPORT_MAC_10_8 */ | ||
#endif /* CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS */ | ||
return CURLE_OK; | ||
} | ||
|
||
|
||
static CURLcode darwinssl_connect_step1(struct connectdata *conn, | ||
int sockindex) | ||
{ | ||
|
@@ -1111,20 +1220,14 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, | |
(void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol12); | ||
break; | ||
case CURL_SSLVERSION_TLSv1_0: | ||
(void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol1); | ||
(void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol1); | ||
break; | ||
case CURL_SSLVERSION_TLSv1_1: | ||
(void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol11); | ||
(void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol11); | ||
break; | ||
case CURL_SSLVERSION_TLSv1_2: | ||
(void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol12); | ||
(void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol12); | ||
break; | ||
case CURL_SSLVERSION_TLSv1_3: | ||
failf(data, "DarwinSSL: TLS 1.3 is not yet supported"); | ||
return CURLE_SSL_CONNECT_ERROR; | ||
{ | ||
CURLcode result = set_ssl_version_min_max(conn, sockindex); | ||
if(result != CURLE_OK) | ||
return result; | ||
} break; | ||
case CURL_SSLVERSION_SSLv3: | ||
err = SSLSetProtocolVersionMin(connssl->ssl_ctx, kSSLProtocol3); | ||
if(err != noErr) { | ||
|
@@ -1165,23 +1268,14 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, | |
true); | ||
break; | ||
case CURL_SSLVERSION_TLSv1_0: | ||
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, | ||
kTLSProtocol1, | ||
true); | ||
break; | ||
case CURL_SSLVERSION_TLSv1_1: | ||
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, | ||
kTLSProtocol11, | ||
true); | ||
break; | ||
case CURL_SSLVERSION_TLSv1_2: | ||
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, | ||
kTLSProtocol12, | ||
true); | ||
break; | ||
case CURL_SSLVERSION_TLSv1_3: | ||
failf(data, "DarwinSSL: TLS 1.3 is not yet supported"); | ||
return CURLE_SSL_CONNECT_ERROR; | ||
{ | ||
CURLcode result = set_ssl_version_min_max(conn, sockindex); | ||
if(result != CURLE_OK) | ||
return result; | ||
} break; | ||
case CURL_SSLVERSION_SSLv3: | ||
err = SSLSetProtocolVersionEnabled(connssl->ssl_ctx, | ||
kSSLProtocol3, | ||
|
@@ -1207,6 +1301,11 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, | |
#endif /* CURL_SUPPORT_MAC_10_8 */ | ||
} | ||
#else | ||
if(conn->ssl_config.version_max != CURL_SSLVERSION_MAX_NONE) { | ||
failf(data, "Your version of the OS does not support to set maximum" | ||
" SSL/TLS version"); | ||
return CURLE_SSL_CONNECT_ERROR; | ||
} | ||
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, kSSLProtocolAll, false); | ||
switch(conn->ssl_config.version) { | ||
case CURL_SSLVERSION_DEFAULT: | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do I understand it correctly that minimum and maximum cannot be set to the same value? Why?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes it is supported. But it is wired to tls-max with tlsvX.Y when you want to just tlsvX.Y. If you wish I can add this option to documentation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would drop all the "The supported minimum is ..." sentences from the particular options. The statement above says it clearly enough in a generic way. The fact that the minimum enabled TLS version cannot be higher than the maximum enabled TLS version is obvious. Also the space before comma appears disruptive to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree - removed sentences.