Added flags CURL_SSLVERSION_OR_UP_TO_* to CURLOPT_SSLVERSION

docs/cmdline-opts/tls-max.d

@@ -0,0 +1,24 @@
+Long: tls-max
+Arg: <VERSION>
+Tags: Versions
+Protocols: SSL
+Added: 7.53.0
+Requires: TLS
+See-also: tlsv1.0 tlsv1.1 tlsv1.2
+Help: Use TLSv1.0 or greater
+---
+Defines a range of supported TLS versions up to VERSION. A minimum is defined
+by arguments tlsv1.0 or tlsv1.1 or tlsv1.2.
+
+.RS
+.IP "default"
+Use up to recommended TLS version.
+.IP "1.0"
+Use up to TLSv1.0.
+.IP "1.1"
+Use up to TLSv1.1.
+.IP "1.2"
+Use up to TLSv1.2.
+.IP "1.3"
+Use up to TLSv1.3.
+.RE

docs/libcurl/opts/CURLOPT_SSLVERSION.3

@@ -50,6 +50,19 @@ TLSv1.1 (Added in 7.34.0)
 TLSv1.2 (Added in 7.34.0)
 .IP CURL_SSLVERSION_TLSv1_3
 TLSv1.3 (Added in 7.52.0)
+.IP CURL_SSLVERSION_MAX_DEFAULT
+Use a flag with CURL_SSLVERSION_TLSv1_x and it's set maximum by SSL library
+or use CURL_SSLVERSION_MAX_TLSv1_2. Only library NSS currently allows
+to get TLS versions enabled by default.
+.IP CURL_SSLVERSION_MAX_TLSv1_1
+Use a flag with CURL_SSLVERSION_TLSv1_0 and it means
+TLSv1.0-TLSv1.1 (Added in 7.53.0)
+.IP CURL_SSLVERSION_MAX_TLSv1_2
+Use a flag with CURL_SSLVERSION_TLSv1_0/CURL_SSLVERSION_TLSv1_1
+ and it is means TLSv1.x-TLSv1.2 (Added in 7.53.0)
+.IP CURL_SSLVERSION_MAX_TLSv1_3
+Use a flag with CURL_SSLVERSION_TLSv1_0/CURL_SSLVERSION_TLSv1_1/
+CURL_SSLVERSION_TLSv1_2 and it is means TLSv1.x-TLSv1.3 (Added in 7.53.0)
 .RE
 .SH DEFAULT
 CURL_SSLVERSION_DEFAULT
@@ -61,8 +74,9 @@ CURL *curl = curl_easy_init();
 if(curl) {
   curl_easy_setopt(curl, CURLOPT_URL, "https://example.com");
 
-  /* ask libcurl to use TLS version 1.0 or later */
-  curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
+  /* ask libcurl to use TLS version 1.1 or later */
+  curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1.1 |
+                   CURL_SSLVERSION_MAX_DEFAULT);
 
   /* Perform the request */
   curl_easy_perform(curl);

docs/libcurl/symbols-in-versions

@@ -709,6 +709,8 @@ CURL_FORMADD_NULL               7.9.8
 CURL_FORMADD_OK                 7.9.8
 CURL_FORMADD_OPTION_TWICE       7.9.8
 CURL_FORMADD_UNKNOWN_OPTION     7.9.8
+CURL_GET_SSLVERSION             7.53.0
+CURL_GET_SSLVERSION_MAX         7.53.0
 CURL_GLOBAL_ACK_EINTR           7.30.0
 CURL_GLOBAL_ALL                 7.8
 CURL_GLOBAL_DEFAULT             7.8
@@ -784,6 +786,7 @@ CURL_RTSPREQ_TEARDOWN           7.20.0
 CURL_SEEKFUNC_CANTSEEK          7.19.5
 CURL_SEEKFUNC_FAIL              7.19.5
 CURL_SEEKFUNC_OK                7.19.5
+CURL_SET_SSLVERSION_MAX         7.53.0
 CURL_SOCKET_BAD                 7.14.0
 CURL_SOCKET_TIMEOUT             7.14.0
 CURL_SOCKOPT_ALREADY_CONNECTED  7.21.5
@@ -798,6 +801,13 @@ CURL_SSLVERSION_TLSv1_0         7.34.0
 CURL_SSLVERSION_TLSv1_1         7.34.0
 CURL_SSLVERSION_TLSv1_2         7.34.0
 CURL_SSLVERSION_TLSv1_3         7.52.0
+CURL_SSLVERSION_MAX_NONE        7.53.0
+CURL_SSLVERSION_MAX_DEFAULT     7.53.0
+CURL_SSLVERSION_MAX_FIRST       7.53.0
+CURL_SSLVERSION_MAX_TLSv1_0     7.53.0
+CURL_SSLVERSION_MAX_TLSv1_1     7.53.0
+CURL_SSLVERSION_MAX_TLSv1_2     7.53.0
+CURL_SSLVERSION_MAX_TLSv1_3     7.53.0
 CURL_TIMECOND_IFMODSINCE        7.9.7
 CURL_TIMECOND_IFUNMODSINCE      7.9.7
 CURL_TIMECOND_LASTMOD           7.9.7

include/curl/curl.h

@@ -1871,6 +1871,23 @@ enum CURL_NETRC_OPTION {
   CURL_NETRC_LAST
 };
 
+#define CURL_GET_SSLVERSION(x) (x & 0xffff)
+#define CURL_GET_SSLVERSION_MAX(x) (x & 0xffff0000)
+#define CURL_SET_SSLVERSION_MAX(x, val) \
+  CURL_SSLVERSION_MAX_##x = (val << 16)
+
+enum {
+  CURL_SET_SSLVERSION_MAX(NONE,    0),
+  CURL_SET_SSLVERSION_MAX(FIRST,   1),
+  CURL_SET_SSLVERSION_MAX(DEFAULT, 1),
+  CURL_SET_SSLVERSION_MAX(TLSv1_0, 2),
+  CURL_SET_SSLVERSION_MAX(TLSv1_1, 3),
+  CURL_SET_SSLVERSION_MAX(TLSv1_2, 4),
+  CURL_SET_SSLVERSION_MAX(TLSv1_3, 5),
+
+  CURL_SET_SSLVERSION_MAX(LAST,    6), /* never use, keep last */
+};
+
 enum {
   CURL_SSLVERSION_DEFAULT,
   CURL_SSLVERSION_TLSv1, /* TLS 1.x */

lib/url.c

@@ -922,7 +922,9 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option,
      * implementations are lame.
      */
 #ifdef USE_SSL
-    data->set.ssl.primary.version = va_arg(param, long);
+    arg = va_arg(param, long);
+    data->set.ssl.primary.version = CURL_GET_SSLVERSION(arg);
+    data->set.ssl.primary.version_max = CURL_GET_SSLVERSION_MAX(arg);
 #else
     result = CURLE_UNKNOWN_OPTION;
 #endif

lib/urldata.h

@@ -348,6 +348,7 @@ struct ssl_connect_data {
 
 struct ssl_primary_config {
   long version;          /* what version the client wants to use */
+  long version_max;      /* max supported version the client wants to use*/
   bool verifypeer;       /* set TRUE if this is desired */
   bool verifyhost;       /* set TRUE if CN/SAN must match hostname */
   bool verifystatus;     /* set TRUE if certificate status must be checked */

lib/vtls/axtls.c

@@ -156,6 +156,12 @@ static CURLcode connect_prep(struct connectdata *conn, int sockindex)
        same connection */
     return CURLE_OK;
 
+  if(SSL_CONN_CONFIG(version_max) != CURL_SSLVERSION_MAX_NONE) {
+    failf(data, "axtls does not support CURL_SSLVERSION_MAX");
+    return CURLE_SSL_CONNECT_ERROR;
+  }
+
+
   /* axTLS only supports TLSv1 */
   /* check to see if we've been told to use an explicit SSL/TLS version */
   switch(SSL_CONN_CONFIG(version)) {

lib/vtls/cyassl.c

@@ -149,6 +149,11 @@ cyassl_connect_step1(struct connectdata *conn,
   if(conssl->state == ssl_connection_complete)
     return CURLE_OK;
 
+  if(SSL_CONN_CONFIG(version_max) != CURL_SSLVERSION_MAX_NONE) {
+    failf(data, "CyaSSL does not support to set maximum SSL/TLS version");
+    return CURLE_SSL_CONNECT_ERROR;
+  }
+
   /* check to see if we've been told to use an explicit SSL/TLS version */
   switch(SSL_CONN_CONFIG(version)) {
   case CURL_SSLVERSION_DEFAULT:

lib/vtls/darwinssl.c

@@ -1042,6 +1042,115 @@ CF_INLINE bool is_file(const char *filename)
   return false;
 }
 
+static CURLcode
+set_ssl_version_min_max(struct connectdata *conn, int sockindex)
+{
+  struct Curl_easy *data = conn->data;
+  struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+  long ssl_version = SSL_CONN_CONFIG(version);
+  long ssl_version_max = Curl_ssl_retrieve_version_max(ssl_version,
+                                                 SSL_CONN_CONFIG(version_max));
+
+#if CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS
+  if(SSLSetProtocolVersionMax != NULL) {
+    SSLProtocol min_ssl_protocol = kTLSProtocol1;
+    SSLProtocol max_ssl_protocol = kTLSProtocol1;
+    switch(ssl_version) {
+      case CURL_SSLVERSION_TLSv1_0:
+        min_ssl_protocol = kTLSProtocol1;
+        break;
+      case CURL_SSLVERSION_TLSv1_1:
+        min_ssl_protocol = kTLSProtocol11;
+        break;
+      case CURL_SSLVERSION_TLSv1_2:
+        min_ssl_protocol = kTLSProtocol12;
+        break;
+      case CURL_SSLVERSION_TLSv1_3:
+        failf(data, "DarwinSSL: TLS 1.3 is not yet supported");
+        return CURLE_SSL_CONNECT_ERROR;
+    }
+
+    switch(ssl_version_max) {
+      case CURL_SSLVERSION_MAX_TLSv1_0:
+         max_ssl_protocol = kTLSProtocol1;
+         break;
+      case CURL_SSLVERSION_MAX_TLSv1_1:
+         max_ssl_protocol = kTLSProtocol11;
+         break;
+      case CURL_SSLVERSION_MAX_DEFAULT:
+      case CURL_SSLVERSION_MAX_TLSv1_2:
+      case CURL_SSLVERSION_MAX_TLSv1_3:
+         max_ssl_protocol = kTLSProtocol12;
+         break;
+     }
+
+     (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, min_ssl_protocol);
+     (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, max_ssl_protocol);
+  }
+  else {
+#if CURL_SUPPORT_MAC_10_8
+    (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
+                                       kSSLProtocolAll,
+                                       false);
+    switch(conn->ssl_config.version) {
+      case CURL_SSLVERSION_DEFAULT:
+      case CURL_SSLVERSION_TLSv1:
+        (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
+                                           kTLSProtocol1,
+                                           true);
+        (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
+                                           kTLSProtocol11,
+                                           true);
+        (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
+                                           kTLSProtocol12,
+                                           true);
+        break;
+      case CURL_SSLVERSION_TLSv1_0:
+        (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
+                                           kTLSProtocol1,
+                                           true);
+        switch(conn->ssl_config.version_max) {
+          case CURL_SSLVERSION_MAX_TLSv1_3:
+          case CURL_SSLVERSION_MAX_TLSv1_2:
+          case CURL_SSLVERSION_MAX_DEFAULT:
+            (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
+                                               kTLSProtocol12,
+                                               true);
+          case CURL_SSLVERSION_MAX_TLSv1_1:
+            (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
+                                               kTLSProtocol11,
+                                               true);
+        }
+        break;
+      case CURL_SSLVERSION_TLSv1_1:
+        (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
+                                           kTLSProtocol11,
+                                           true);
+        switch(conn->ssl_config.version_max) {
+          case CURL_SSLVERSION_MAX_TLSv1_3:
+          case CURL_SSLVERSION_MAX_TLSv1_2:
+          case CURL_SSLVERSION_MAX_DEFAULT:
+            (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
+                                               kTLSProtocol12,
+                                               true);
+        }
+        break;
+      case CURL_SSLVERSION_TLSv1_2:
+        (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
+                                           kTLSProtocol12,
+                                           true);
+        break;
+      case CURL_SSLVERSION_TLSv1_3:
+        failf(data, "DarwinSSL: TLS 1.3 is not yet supported");
+        return CURLE_SSL_CONNECT_ERROR;
+    }
+  }
+#endif  /* CURL_SUPPORT_MAC_10_8 */
+#endif  /* CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS */
+  return CURLE_OK;
+}
+
+
 static CURLcode darwinssl_connect_step1(struct connectdata *conn,
                                         int sockindex)
 {
@@ -1111,20 +1220,14 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
       (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol12);
       break;
     case CURL_SSLVERSION_TLSv1_0:
-      (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol1);
-      (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol1);
-      break;
     case CURL_SSLVERSION_TLSv1_1:
-      (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol11);
-      (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol11);
-      break;
     case CURL_SSLVERSION_TLSv1_2:
-      (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol12);
-      (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol12);
-      break;
     case CURL_SSLVERSION_TLSv1_3:
-      failf(data, "DarwinSSL: TLS 1.3 is not yet supported");
-      return CURLE_SSL_CONNECT_ERROR;
+      {
+        CURLcode result = set_ssl_version_min_max(conn, sockindex);
+        if(result != CURLE_OK)
+          return result;
+      } break;
     case CURL_SSLVERSION_SSLv3:
       err = SSLSetProtocolVersionMin(connssl->ssl_ctx, kSSLProtocol3);
       if(err != noErr) {
@@ -1165,23 +1268,14 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
                                          true);
       break;
     case CURL_SSLVERSION_TLSv1_0:
-      (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
-                                         kTLSProtocol1,
-                                         true);
-      break;
     case CURL_SSLVERSION_TLSv1_1:
-      (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
-                                         kTLSProtocol11,
-                                         true);
-      break;
     case CURL_SSLVERSION_TLSv1_2:
-      (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
-                                         kTLSProtocol12,
-                                         true);
-      break;
     case CURL_SSLVERSION_TLSv1_3:
-      failf(data, "DarwinSSL: TLS 1.3 is not yet supported");
-      return CURLE_SSL_CONNECT_ERROR;
+      {
+        CURLcode result = set_ssl_version_min_max(conn, sockindex);
+        if(result != CURLE_OK)
+          return result;
+      } break;
     case CURL_SSLVERSION_SSLv3:
       err = SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
                                          kSSLProtocol3,
@@ -1207,6 +1301,11 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
 #endif  /* CURL_SUPPORT_MAC_10_8 */
   }
 #else
+  if(conn->ssl_config.version_max != CURL_SSLVERSION_MAX_NONE) {
+    failf(data, "Your version of the OS does not support to set maximum"
+                " SSL/TLS version");
+    return CURLE_SSL_CONNECT_ERROR;
+  }
   (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, kSSLProtocolAll, false);
   switch(conn->ssl_config.version) {
   case CURL_SSLVERSION_DEFAULT: