cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Disabling SSLv2 by default (was Re: [PATCH] support for server name indication (RFC 4366))

From: Kaspar Brand <curl-lib.2008_at_velox.ch>
Date: Mon, 18 Feb 2008 18:01:18 +0100

> On 14.02.2008, at 18:50, Daniel Stenberg wrote:
>
>>> I think starting disabling ssl2 by default is also a good thing
>>> today.
>
>> I agree. Related feature request:
>> http://sourceforge.net/tracker/index.php?func=detail&aid=1767276&group_id=976&atid=350976
>
>
> Yay to that. That would probably also solve my gripes about compilation
> on systems where SSLv2 is already deactivated in OpenSSL.

Here's a patch I tried attaching to the SF.net tracker yesterday, but
with limited success (it was garbled when posting). So I am resending it
to the list, as suggested by Daniel.

For the sake of completeness, here are the comments from the FR entry:

> While not exactly addressing the original request, here's a patch which
> disables SSLv2 when CURL_SSLVERSION_DEFAULT is used (couldn't figure out
> how to attach the file separately - maybe because I'm neither the reporter
> nor the assignee?).
>
> It includes the changes for all SSL toolkits currently supported by curl.
> Note that for NSS, this will "automagically" turn on TLS extensions (server
> name indication/SNI e.g.), if compiled against 3.11 or later. For GnuTLS,
> no changes are needed - SSLv2 isn't implemented in that library on
> purpose.

Kaspar

Index: lib/ssluse.c
===================================================================
RCS file: /cvsroot/curl/curl/lib/ssluse.c,v
retrieving revision 1.192
diff -u -p -r1.192 ssluse.c
--- lib/ssluse.c 7 Feb 2008 22:25:04 -0000 1.192
+++ lib/ssluse.c 18 Feb 2008 16:53:55 -0000
@@ -1324,6 +1331,10 @@ ossl_connect_step1(struct connectdata *c
   */
   SSL_CTX_set_options(connssl->ctx, SSL_OP_ALL);
 
+ /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */
+ if (data->set.ssl.version == CURL_SSLVERSION_DEFAULT)
+ SSL_CTX_set_options(connssl->ctx, SSL_OP_NO_SSLv2);
+
 #if 0
   /*
    * Not sure it's needed to tell SSL_connect() that socket is
Index: lib/nss.c
===================================================================
RCS file: /cvsroot/curl/curl/lib/nss.c,v
retrieving revision 1.15
diff -u -p -r1.15 nss.c
--- lib/nss.c 15 Jan 2008 23:19:02 -0000 1.15
+++ lib/nss.c 18 Feb 2008 16:53:55 -0000
@@ -873,7 +873,7 @@ CURLcode Curl_nss_connect(struct connect
   switch (data->set.ssl.version) {
   default:
   case CURL_SSLVERSION_DEFAULT:
- ssl2 = ssl3 = tlsv1 = PR_TRUE;
+ ssl3 = tlsv1 = PR_TRUE;
     break;
   case CURL_SSLVERSION_TLSv1:
     tlsv1 = PR_TRUE;
@@ -893,6 +893,9 @@ CURLcode Curl_nss_connect(struct connect
   if(SSL_OptionSet(model, SSL_ENABLE_TLS, tlsv1) != SECSuccess)
     goto error;
 
+ if(SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, ssl2) != SECSuccess)
+ goto error;
+
   if(data->set.ssl.cipher_list) {
     if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) {
       curlerr = CURLE_SSL_CIPHER;
Index: lib/qssl.c
===================================================================
RCS file: /cvsroot/curl/curl/lib/qssl.c,v
retrieving revision 1.9
diff -u -p -r1.9 qssl.c
--- lib/qssl.c 11 Feb 2008 22:03:31 -0000 1.9
+++ lib/qssl.c 18 Feb 2008 16:53:55 -0000
@@ -90,7 +90,7 @@ static CURLcode Curl_qsossl_init_session
   memset((char *) &initappstr, 0, sizeof initappstr);
   initappstr.applicationID = certname;
   initappstr.applicationIDLen = strlen(certname);
- initappstr.protocol = SSL_VERSION_CURRENT;
+ initappstr.protocol = TLSV1_SSLV3;
   initappstr.sessionType = SSL_REGISTERED_AS_CLIENT;
   rc = SSL_Init_Application(&initappstr);
 
@@ -190,7 +190,7 @@ static CURLcode Curl_qsossl_handshake(st
 
   default:
   case CURL_SSLVERSION_DEFAULT:
- h->protocol = SSL_VERSION_CURRENT;
+ h->protocol = TLSV1_SSLV3;
     break;
 
   case CURL_SSLVERSION_TLSv1:
Index: docs/libcurl/curl_easy_setopt.3
===================================================================
RCS file: /cvsroot/curl/curl/docs/libcurl/curl_easy_setopt.3,v
retrieving revision 1.211
diff -u -p -r1.211 curl_easy_setopt.3
--- docs/libcurl/curl_easy_setopt.3 11 Jan 2008 14:20:41 -0000 1.211
+++ docs/libcurl/curl_easy_setopt.3 18 Feb 2008 16:53:56 -0000
@@ -1379,10 +1379,9 @@ Pass a long as parameter to control what
 The available options are:
 .RS
 .IP CURL_SSLVERSION_DEFAULT
-The default action. When libcurl built with OpenSSL or NSS, this will attempt
-to figure out the remote SSL protocol version. Unfortunately there are a lot of
-ancient and broken servers in use which cannot handle this technique and will
-fail to connect. When libcurl is built with GnuTLS, this will mean SSLv3.
+The default action. This will attempt to figure out the remote SSL protocol
+version, i.e. either SSLv3 or TLSv1 (but not SSLv2, which became disabled
+by default with 7.18.1).
 .IP CURL_SSLVERSION_TLSv1
 Force TLSv1
 .IP CURL_SSLVERSION_SSLv2
Received on 2008-02-18