cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH] Fix forcing SSLv3 connections

From: Barry Abrahamson <barry_at_automattic.com>
Date: Wed, 1 Jan 2014 16:50:45 -0600

On Jan 1, 2014, at 2:38 PM, Daniel Stenberg <daniel_at_haxx.se> wrote:

> On Tue, 31 Dec 2013, Barry Abrahamson wrote:
>
>> Since ad34a2d5c87c7f4b14e8dded3 (present in 7.34.0 release) forcing SSLv3 will always return the error "curl: (35) Unsupported SSL protocol version" Can be replicated with `curl -I -3 https://www.google.com/`. This patch simply allows for v3 to be forced.
>
> Thanks!
>
> Merged and pushed now!

Thanks! Some feedback provided by byte_bucket on IRC pointed out that this patch isn�t really correct because it allows for �upgrading� to a newer protocol when it should be only allowing for SSLv3.

Attached patch fixes that.

When SSLv3 connection is forced, don't allow SSL
negotiations for newer versions. Feedback provided by
byte_bucket in #curl. This behavior is also consistent
with the other force flags like --tlsv1.1 which doesn't
allow for TLSv1.2 negotiation, etc

---
 lib/vtls/openssl.c |   10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index bc22bb8..b3ab992 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -1551,7 +1551,6 @@ ossl_connect_step1(struct connectdata *conn,
   switch(data->set.ssl.version) {
   case CURL_SSLVERSION_DEFAULT:
-  case CURL_SSLVERSION_SSLv3:
     ctx_options |= SSL_OP_NO_SSLv2;
 #ifdef USE_TLS_SRP
     if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
@@ -1561,6 +1560,15 @@ ossl_connect_step1(struct connectdata *conn,
 #endif
     break;
+  case CURL_SSLVERSION_SSLv3:
+    ctx_options |= SSL_OP_NO_SSLv2;
+    ctx_options |= SSL_OP_NO_TLSv1;
+#if OPENSSL_VERSION_NUMBER >= 0x1000100FL
+    ctx_options |= SSL_OP_NO_TLSv1_1;
+    ctx_options |= SSL_OP_NO_TLSv1_2;
+#endif
+    break;
+
   case CURL_SSLVERSION_TLSv1:
     ctx_options |= SSL_OP_NO_SSLv2;
     ctx_options |= SSL_OP_NO_SSLv3;
--
1.7.10.4
--
Barry Abrahamson | Systems Wrangler | Automattic
Blog: http://barry.wordpress.com
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Received on 2014-01-01

This message: [ Message body ]
Next message: Von Hawkins: "RTMP and RTMPS support"
Previous message: Daniel Stenberg: "Re: curl_off_t to long compiler warnings in visual studio 2010 x86"
In reply to: Daniel Stenberg: "Re: [PATCH] Fix forcing SSLv3 connections"
Next in thread: Daniel Stenberg: "Re: [PATCH] Fix forcing SSLv3 connections"
Reply: Daniel Stenberg: "Re: [PATCH] Fix forcing SSLv3 connections"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]