cURL / Mailing Lists / curl-library / Single Mail

curl-library

[Patch 1/3 v2] nss: map CURL_SSLVERSION_DEFAULT to NSS default

From: Kamil Dudka <kdudka_at_redhat.com>
Date: Tue, 1 Nov 2016 16:42:06 +0100

... but make sure we use at least TLSv1.0 according to libcurl API

---
 lib/vtls/nss.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index dff1575..5abb574 100644
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -1489,10 +1489,18 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
                                 struct Curl_easy *data)
 {
   switch(data->set.ssl.version) {
-  default:
   case CURL_SSLVERSION_DEFAULT:
+    /* map CURL_SSLVERSION_DEFAULT to NSS default */
+    if(SSL_VersionRangeGetDefault(ssl_variant_stream, sslver) != SECSuccess)
+      return CURLE_SSL_CONNECT_ERROR;
+    /* ... but make sure we use at least TLSv1.0 according to libcurl API */
+    if(sslver->min < SSL_LIBRARY_VERSION_TLS_1_0)
+      sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
+    return CURLE_OK;
+
   case CURL_SSLVERSION_TLSv1:
     sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
+    /* TODO: set sslver->max to SSL_LIBRARY_VERSION_TLS_1_3 once stable */
 #ifdef SSL_LIBRARY_VERSION_TLS_1_2
     sslver->max = SSL_LIBRARY_VERSION_TLS_1_2;
 #elif defined SSL_LIBRARY_VERSION_TLS_1_1
@@ -1532,6 +1540,10 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
     return CURLE_OK;
 #endif
     break;
+
+  default:
+    /* unsupported SSL/TLS version */
+    break;
   }
 
   failf(data, "TLS minor version cannot be set");
-- 
2.7.4
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:  https://curl.haxx.se/mail/etiquette.html
Received on 2016-11-01