Download
Browse source Changelog
Documentation
Project   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Version numbers curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Etiquette
Development
Autobuilds Code Style Contribute Internals Release Notes Release Procedure Roadmap Run Tests Security Specifications Test curl
News
Changelog Release table
cURL / Mailing Lists / curl-library / Single Mail

curl-library

[Patch v3 2/3] vtls: support TLS 1.3 via CURL_SSLVERSION_TLSv1_3

From: Kamil Dudka <kdudka_at_redhat.com>
Date: Thu, 3 Nov 2016 10:22:12 +0100

Fully implemented with the NSS backend only for now. 

---
 docs/libcurl/opts/CURLOPT_SSLVERSION.3 | 2 ++
 docs/libcurl/symbols-in-versions       | 1 +
 include/curl/curl.h                    | 1 +
 lib/vtls/darwinssl.c                   | 9 +++++++++
 lib/vtls/gskit.c                       | 3 +++
 lib/vtls/gtls.c                        | 6 ++++++
 lib/vtls/nss.c                         | 8 ++++++++
 lib/vtls/polarssl.c                    | 3 +++
 lib/vtls/schannel.c                    | 3 +++
 packages/OS400/curl.inc.in             | 2 ++
 10 files changed, 38 insertions(+)
diff --git a/docs/libcurl/opts/CURLOPT_SSLVERSION.3 b/docs/libcurl/opts/CURLOPT_SSLVERSION.3
index 2f40e46..1854af0 100644
--- a/docs/libcurl/opts/CURLOPT_SSLVERSION.3
+++ b/docs/libcurl/opts/CURLOPT_SSLVERSION.3
@@ -48,6 +48,8 @@ TLSv1.0 (Added in 7.34.0)
 TLSv1.1 (Added in 7.34.0)
 .IP CURL_SSLVERSION_TLSv1_2
 TLSv1.2 (Added in 7.34.0)
+.IP CURL_SSLVERSION_TLSv1_3
+TLSv1.3 (Added in 7.51.1)
 .RE
 .SH DEFAULT
 CURL_SSLVERSION_DEFAULT
diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
index f6365ae..a77fde4 100644
--- a/docs/libcurl/symbols-in-versions
+++ b/docs/libcurl/symbols-in-versions
@@ -773,6 +773,7 @@ CURL_SSLVERSION_TLSv1           7.9.2
 CURL_SSLVERSION_TLSv1_0         7.34.0
 CURL_SSLVERSION_TLSv1_1         7.34.0
 CURL_SSLVERSION_TLSv1_2         7.34.0
+CURL_SSLVERSION_TLSv1_3         7.51.1
 CURL_TIMECOND_IFMODSINCE        7.9.7
 CURL_TIMECOND_IFUNMODSINCE      7.9.7
 CURL_TIMECOND_LASTMOD           7.9.7
diff --git a/include/curl/curl.h b/include/curl/curl.h
index 9c09cb9..03fcfeb 100644
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@@ -1805,6 +1805,7 @@ enum {
   CURL_SSLVERSION_TLSv1_0,
   CURL_SSLVERSION_TLSv1_1,
   CURL_SSLVERSION_TLSv1_2,
+  CURL_SSLVERSION_TLSv1_3,
 
   CURL_SSLVERSION_LAST /* never use, keep last */
 };
diff --git a/lib/vtls/darwinssl.c b/lib/vtls/darwinssl.c
index 66e74f1..6aa30d4 100644
--- a/lib/vtls/darwinssl.c
+++ b/lib/vtls/darwinssl.c
@@ -1071,6 +1071,9 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
         (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol12);
         (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol12);
         break;
+      case CURL_SSLVERSION_TLSv1_3:
+        failf(data, "TLSv1.3 is not yet supported with this TLS backend");
+        return CURLE_SSL_CONNECT_ERROR;
       case CURL_SSLVERSION_SSLv3:
         err = SSLSetProtocolVersionMin(connssl->ssl_ctx, kSSLProtocol3);
         if(err != noErr) {
@@ -1122,6 +1125,9 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
                                            kTLSProtocol12,
                                            true);
         break;
+      case CURL_SSLVERSION_TLSv1_3:
+        failf(data, "TLSv1.3 is not yet supported with this TLS backend");
+        return CURLE_SSL_CONNECT_ERROR;
       case CURL_SSLVERSION_SSLv3:
         err = SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
                                            kSSLProtocol3,
@@ -1160,6 +1166,9 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
     case CURL_SSLVERSION_TLSv1_2:
       failf(data, "Your version of the OS does not support TLSv1.2");
       return CURLE_SSL_CONNECT_ERROR;
+    case CURL_SSLVERSION_TLSv1_3:
+      failf(data, "Your version of the OS does not support TLSv1.3");
+      return CURLE_SSL_CONNECT_ERROR;
     case CURL_SSLVERSION_SSLv2:
       err = SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
                                          kSSLProtocol2,
diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c
index 3b0cfd5..9760c93 100644
--- a/lib/vtls/gskit.c
+++ b/lib/vtls/gskit.c
@@ -639,6 +639,9 @@ static CURLcode gskit_connect_step1(struct connectdata *conn, int sockindex)
   case CURL_SSLVERSION_TLSv1_2:
     protoflags = CURL_GSKPROTO_TLSV12_MASK;
     break;
+  case CURL_SSLVERSION_TLSv1_3:
+    failf(data, "TLS 1.3 not yet supported");
+    return CURLE_SSL_CIPHER;
   }
 
   /* Process SNI. Ignore if not supported (on OS400 < V7R1). */
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index 5c87c7f..d47d80f 100644
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -569,6 +569,9 @@ gtls_connect_step1(struct connectdata *conn,
       break;
     case CURL_SSLVERSION_TLSv1_2:
       protocol_priority[0] = GNUTLS_TLS1_2;
+    case CURL_SSLVERSION_TLSv1_3:
+      failf(data, "GnuTLS does not support TLSv1.3");
+      return CURLE_SSL_CONNECT_ERROR;
     break;
       case CURL_SSLVERSION_SSLv2:
     default:
@@ -607,6 +610,9 @@ gtls_connect_step1(struct connectdata *conn,
       prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
                      "+VERS-TLS1.2:" GNUTLS_SRP;
       break;
+    case CURL_SSLVERSION_TLSv1_3:
+      failf(data, "GnuTLS does not support TLSv1.3");
+      return CURLE_SSL_CONNECT_ERROR;
     case CURL_SSLVERSION_SSLv2:
     default:
       failf(data, "GnuTLS does not support SSLv2");
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index 5abb574..5e52727 100644
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -1541,6 +1541,14 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
 #endif
     break;
 
+  case CURL_SSLVERSION_TLSv1_3:
+#ifdef SSL_LIBRARY_VERSION_TLS_1_3
+    sslver->min = SSL_LIBRARY_VERSION_TLS_1_3;
+    sslver->max = SSL_LIBRARY_VERSION_TLS_1_3;
+    return CURLE_OK;
+#endif
+    break;
+
   default:
     /* unsupported SSL/TLS version */
     break;
diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c
index 18b564e..4e41315 100644
--- a/lib/vtls/polarssl.c
+++ b/lib/vtls/polarssl.c
@@ -306,6 +306,9 @@ polarssl_connect_step1(struct connectdata *conn,
                         SSL_MINOR_VERSION_3);
     infof(data, "PolarSSL: Forced min. SSL Version to be TLS 1.2\n");
     break;
+  case CURL_SSLVERSION_TLSv1_3:
+    failf(data, "PolarSSL: TLS 1.3 is not yet supported");
+    return CURLE_SSL_CONNECT_ERROR;
   }
 
   ssl_set_endpoint(&connssl->ssl, SSL_IS_CLIENT);
diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
index f731eeb..63cb98a 100644
--- a/lib/vtls/schannel.c
+++ b/lib/vtls/schannel.c
@@ -213,6 +213,9 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
     case CURL_SSLVERSION_TLSv1_2:
       schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_2_CLIENT;
       break;
+    case CURL_SSLVERSION_TLSv1_3:
+      failf(data, "schannel: TLS 1.3 is not yet supported");
+      return CURLE_SSL_CONNECT_ERROR;
     case CURL_SSLVERSION_SSLv3:
       schannel_cred.grbitEnabledProtocols = SP_PROT_SSL3_CLIENT;
       break;
diff --git a/packages/OS400/curl.inc.in b/packages/OS400/curl.inc.in
index 4176905..4028795 100644
--- a/packages/OS400/curl.inc.in
+++ b/packages/OS400/curl.inc.in
@@ -258,6 +258,8 @@
      d                 c                   5
      d CURL_SSLVERSION_TLSv1_2...
      d                 c                   6
+     d CURL_SSLVERSION_TLSv1_3...
+     d                 c                   7
       *
      d CURL_TLSAUTH_NONE...
      d                 c                   0
-- 
2.7.4
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:  https://curl.haxx.se/mail/etiquette.html
Received on 2016-11-03