Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openssl: make the requested TLS version the *minimum* wanted #2694

Closed
wants to merge 3 commits into from
Closed

openssl: make the requested TLS version the *minimum* wanted #2694

wants to merge 3 commits into from

Conversation

bagder
Copy link
Member

@bagder bagder commented Jun 28, 2018

The code treated the set version as the exact version to require in
the TLS handshake, which is not what other TLS backends do and probably
not what most people expect either.

Reported-by: Andreas Olsson
Fixes #2691

@bagder
openssl: make the requested TLS version the *minimum* wanted
3763ffb 
The code treated the set version as the *exact* version to require in
the TLS handshake, which is not what other TLS backends do and probably
not what most people expect either.

Reported-by: Andreas Olsson
Fixes #2691
@bagder bagder added the TLS label Jun 28, 2018
malhotrag
malhotrag reviewed Jun 29, 2018
View reviewed changes
lib/vtls/openssl.c Outdated
@@ -2113,6 +2109,7 @@ set_ssl_version_min_max(long *ctx_options, struct connectdata *conn,
#endif
/* FALLTHROUGH */
case CURL_SSLVERSION_TLSv1_0:
case CURL_SSLVERSION_TLSv1:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding this case here has the same effect as the existing code at line number 2336. Should that line be removed?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, good catch. It seems wrong to have this duplicated, I'll see what I should cleanup here...

@malhotrag
Copy link
Contributor

It looks like setting CURLOPT_SSLVERSION to CURL_SSLVERSION_SSLv3 or CURL_SSLVERSION_SSLv2 will result in using that exact version of the protocol and not set that as a minimum. Is that intentional?

@bagder
Copy link
Member Author

bagder commented Jun 29, 2018

@malhotrag I suppose not, but since they are so old and not used by default I feel less sure about changing how they work... A default OpenSSL build doesn't even support them at all these days.

@malhotrag
Copy link
Contributor

It's not directly related to this change, but I happened to notice while reviewing that the ssl_authtype == CURL_TLSAUTH_SRP check at line 2318 will never be satisfied because of the earlier check at line 2223.

@malhotrag
Copy link
Contributor

With this change, we seem to have lost the difference in behavior between CURL_SSLVERSION_TLSv1 and CURL_SSLVERSION_TLSv1_0. They appear to be equivalent now. Before this change, specifying CURL_SSLVERSION_TLSv1 without a *VERSION_MAX implied 1.0 or 1.1 or 1.2, while, specifying CURL_SSLVERSION_TLSv1_0 without a *VERSION_MAX implied 1.0 only. I think the CURLOPT_SSLVERSION documentation can be improved to convey the current behavior more accurately.

@bagder
Copy link
Member Author

bagder commented Jun 29, 2018

ssl_authtype == CURL_TLSAUTH_SRP check at line 2318 will never be satisfied

Can you submit this as a separate issue so that we don't lose it?

@bagder
fixup CURLOPT_SSLVERSION.3 to clarify
0aa52d5 
Feedback-by: Gaurav Malhotra
@malhotrag
Copy link
Contributor

malhotrag commented Jun 29, 2018
edited
Loading

@bagder Sure. I will submit an issue/pull request for CURL_TLSAUTH_SRP dead check.
Edit: Created pull request #2698

@bagder bagder closed this in 6015cef Jun 29, 2018
@bagder bagder deleted the bagder/openssl-sslversion-minimum branch June 29, 2018 20:54
@bagder bagder mentioned this pull request Sep 10, 2018
Closed
danielgustafsson added a commit to danielgustafsson/curl that referenced this pull request Sep 18, 2018
@danielgustafsson
darwinssl: make requested TLS version the minimum
ae34c32 
Make the requested TLS version the minimum and allow for any higher
protocol in the negotiation, rather than capping the protocol version
to the requested. This fixes Secure Transport (darwinssl) to behave
like OpenSSL as it was changed in curl#2694 (reported in curl#2969).
@danielgustafsson danielgustafsson mentioned this pull request Sep 18, 2018
Closed
@lock lock bot locked as resolved and limited conversation to collaborators Sep 27, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@malhotrag malhotrag malhotrag left review comments

Assignees
No one assigned
Labels
TLS
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@bagder @malhotrag