curl-library
[Patch 1/3 v2] nss: map CURL_SSLVERSION_DEFAULT to NSS default
From: Kamil Dudka <kdudka_at_redhat.com>
Date: Tue, 1 Nov 2016 16:42:06 +0100
Date: Tue, 1 Nov 2016 16:42:06 +0100
... but make sure we use at least TLSv1.0 according to libcurl API
--- lib/vtls/nss.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c index dff1575..5abb574 100644 --- a/lib/vtls/nss.c +++ b/lib/vtls/nss.c @@ -1489,10 +1489,18 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver, struct Curl_easy *data) { switch(data->set.ssl.version) { - default: case CURL_SSLVERSION_DEFAULT: + /* map CURL_SSLVERSION_DEFAULT to NSS default */ + if(SSL_VersionRangeGetDefault(ssl_variant_stream, sslver) != SECSuccess) + return CURLE_SSL_CONNECT_ERROR; + /* ... but make sure we use at least TLSv1.0 according to libcurl API */ + if(sslver->min < SSL_LIBRARY_VERSION_TLS_1_0) + sslver->min = SSL_LIBRARY_VERSION_TLS_1_0; + return CURLE_OK; + case CURL_SSLVERSION_TLSv1: sslver->min = SSL_LIBRARY_VERSION_TLS_1_0; + /* TODO: set sslver->max to SSL_LIBRARY_VERSION_TLS_1_3 once stable */ #ifdef SSL_LIBRARY_VERSION_TLS_1_2 sslver->max = SSL_LIBRARY_VERSION_TLS_1_2; #elif defined SSL_LIBRARY_VERSION_TLS_1_1 @@ -1532,6 +1540,10 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver, return CURLE_OK; #endif break; + + default: + /* unsupported SSL/TLS version */ + break; } failf(data, "TLS minor version cannot be set"); -- 2.7.4 ------------------------------------------------------------------- List admin: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.htmlReceived on 2016-11-01