Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vtls: fix ssl version "or later" behavior change for many backends #3012

Closed
wants to merge 1 commit into from
Closed

vtls: fix ssl version "or later" behavior change for many backends #3012

wants to merge 1 commit into from

Conversation

jay
Copy link
Member

@jay jay commented Sep 18, 2018

  • Treat CURL_SSLVERSION_MAX_NONE the same as
    CURL_SSLVERSION_MAX_DEFAULT. Prior to this change NONE would mean use
    the minimum version also as the maximum.

This is a follow-up to 6015cef which changed the behavior of setting
the SSL version so that the requested version would only be the minimum
and not the maximum. It appears it was properly implemented in OpenSSL
but not other backends. In other words CURL_SSLVERSION_TLSv1_0 used to
mean use just TLS v1.0 and now it means use TLS v1.0 or later.

Co-authored-by: Daniel Gustafsson

Closes #xxxx
Closes #xxxx

This was referenced Sep 18, 2018
Closed
Closed
danielgustafsson
danielgustafsson approved these changes Sep 18, 2018
View reviewed changes
Copy link
Member

@danielgustafsson danielgustafsson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I haven't tested any other backend than darwinssl, but the patch looks perfectly fine to me. Thanks for picking this up and taking it across the backends!

@jay
vtls: fix ssl version "or later" behavior change for many backends
e2caeb9 
- Treat CURL_SSLVERSION_MAX_NONE the same as
  CURL_SSLVERSION_MAX_DEFAULT. Prior to this change NONE would mean use
  the minimum version also as the maximum.

This is a follow-up to 6015cef which changed the behavior of setting
the SSL version so that the requested version would only be the minimum
and not the maximum. It appears it was (mostly) implemented in OpenSSL
but not other backends. In other words CURL_SSLVERSION_TLSv1_0 used to
mean use just TLS v1.0 and now it means use TLS v1.0 *or later*.

- Fix CURL_SSLVERSION_MAX_DEFAULT for OpenSSL.

Prior to this change CURL_SSLVERSION_MAX_DEFAULT with OpenSSL was
erroneously treated as always TLS 1.3, and would cause an error if
OpenSSL was built without TLS 1.3 support.

Co-authored-by: Daniel Gustafsson

Closes #xxxx
Closes #xxxx
@jay
Copy link
Member Author

jay commented Sep 18, 2018

Amended, found a related bug in openssl.c as well.

@jay jay closed this in 2e5651a Sep 20, 2018
@jay jay deleted the fix_sslver_behavior_change branch September 20, 2018 18:15
@lock lock bot locked as resolved and limited conversation to collaborators Dec 19, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@nickzman nickzman nickzman approved these changes

@bagder bagder bagder approved these changes

@danielgustafsson danielgustafsson danielgustafsson approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@jay @nickzman @bagder @danielgustafsson