|
 |
9d7d3f |
From a7b1ea3537b30450ad82d2c64d31dcecaed60fca Mon Sep 17 00:00:00 2001
|
|
|
9d7d3f |
From: Gergely Nagy <ngg@tresorit.com>
|
|
|
9d7d3f |
Date: Thu, 19 Sep 2013 15:17:13 +0200
|
|
|
9d7d3f |
Subject: [PATCH 1/9] SSL: protocol version can be specified more precisely
|
|
|
9d7d3f |
|
|
|
9d7d3f |
CURL_SSLVERSION_TLSv1_0, CURL_SSLVERSION_TLSv1_1,
|
|
|
9d7d3f |
CURL_SSLVERSION_TLSv1_2 enum values are added to force exact TLS version
|
|
|
9d7d3f |
(CURL_SSLVERSION_TLSv1 means TLS 1.x).
|
|
|
9d7d3f |
|
|
|
9d7d3f |
axTLS:
|
|
|
9d7d3f |
axTLS only supports TLS 1.0 and 1.1 but it cannot be set that only one
|
|
|
9d7d3f |
of these should be used, so we don't allow the new enum values.
|
|
|
9d7d3f |
|
|
|
9d7d3f |
darwinssl:
|
|
|
9d7d3f |
Added support for the new enum values.
|
|
|
9d7d3f |
|
|
|
9d7d3f |
SChannel:
|
|
|
9d7d3f |
Added support for the new enum values.
|
|
|
9d7d3f |
|
|
|
9d7d3f |
CyaSSL:
|
|
|
9d7d3f |
Added support for the new enum values.
|
|
|
9d7d3f |
Bug: The original CURL_SSLVERSION_TLSv1 value enables only TLS 1.0 (it
|
|
|
9d7d3f |
did the same before this commit), because CyaSSL cannot be configured to
|
|
|
9d7d3f |
use TLS 1.0-1.2.
|
|
|
9d7d3f |
|
|
|
9d7d3f |
GSKit:
|
|
|
9d7d3f |
GSKit doesn't seem to support TLS 1.1 and TLS 1.2, so we do not allow
|
|
|
9d7d3f |
those values.
|
|
|
9d7d3f |
Bugfix: There was a typo that caused wrong SSL versions to be passed to
|
|
|
9d7d3f |
GSKit.
|
|
|
9d7d3f |
|
|
|
9d7d3f |
NSS:
|
|
|
9d7d3f |
TLS minor version cannot be set, so we don't allow the new enum values.
|
|
|
9d7d3f |
|
|
|
9d7d3f |
QsoSSL:
|
|
|
9d7d3f |
TLS minor version cannot be set, so we don't allow the new enum values.
|
|
|
9d7d3f |
|
|
|
9d7d3f |
OpenSSL:
|
|
|
9d7d3f |
Added support for the new enum values.
|
|
|
9d7d3f |
Bugfix: The original CURL_SSLVERSION_TLSv1 value enabled only TLS 1.0,
|
|
|
9d7d3f |
now it enables 1.0-1.2.
|
|
|
9d7d3f |
|
|
|
9d7d3f |
Command-line tool:
|
|
|
9d7d3f |
Added command line options for the new values.
|
|
|
9d7d3f |
|
|
|
9d7d3f |
[upstream commit ad34a2d5c87c7f4b14e8dded34569395de0d8c5b]
|
|
|
9d7d3f |
---
|
|
|
9d7d3f |
docs/libcurl/curl_easy_setopt.3 | 8 +++++-
|
|
|
9d7d3f |
docs/libcurl/symbols-in-versions | 3 ++
|
|
|
9d7d3f |
include/curl/curl.h | 5 +++-
|
|
|
9d7d3f |
lib/axtls.c | 3 +-
|
|
|
9d7d3f |
lib/curl_darwinssl.c | 34 +++++++++++++++++++++++++
|
|
|
9d7d3f |
lib/curl_schannel.c | 9 ++++++
|
|
|
9d7d3f |
lib/cyassl.c | 13 +++++++++-
|
|
|
9d7d3f |
lib/nss.c | 6 ++++
|
|
|
9d7d3f |
lib/qssl.c | 6 ++++
|
|
|
9d7d3f |
lib/ssluse.c | 51 +++++++++++++++++++++++++++----------
|
|
|
9d7d3f |
packages/OS400/curl.inc.in | 6 ++++
|
|
|
9d7d3f |
src/tool_getparam.c | 25 ++++++++++++++++--
|
|
|
9d7d3f |
src/tool_setopt.c | 3 ++
|
|
|
9d7d3f |
13 files changed, 151 insertions(+), 21 deletions(-)
|
|
|
9d7d3f |
|
|
|
9d7d3f |
diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3
|
|
|
9d7d3f |
index 3d31aef..92db8f4 100644
|
|
|
9d7d3f |
--- a/docs/libcurl/curl_easy_setopt.3
|
|
|
9d7d3f |
+++ b/docs/libcurl/curl_easy_setopt.3
|
|
|
9d7d3f |
@@ -2219,11 +2219,17 @@ The default action. This will attempt to figure out the remote SSL protocol
|
|
|
9d7d3f |
version, i.e. either SSLv3 or TLSv1 (but not SSLv2, which became disabled
|
|
|
9d7d3f |
by default with 7.18.1).
|
|
|
9d7d3f |
.IP CURL_SSLVERSION_TLSv1
|
|
|
9d7d3f |
-Force TLSv1
|
|
|
9d7d3f |
+Force TLSv1.x
|
|
|
9d7d3f |
.IP CURL_SSLVERSION_SSLv2
|
|
|
9d7d3f |
Force SSLv2
|
|
|
9d7d3f |
.IP CURL_SSLVERSION_SSLv3
|
|
|
9d7d3f |
Force SSLv3
|
|
|
9d7d3f |
+.IP CURL_SSLVERSION_TLSv1_0
|
|
|
9d7d3f |
+Force TLSv1.0
|
|
|
9d7d3f |
+.IP CURL_SSLVERSION_TLSv1_1
|
|
|
9d7d3f |
+Force TLSv1.1
|
|
|
9d7d3f |
+.IP CURL_SSLVERSION_TLSv1_2
|
|
|
9d7d3f |
+Force TLSv1.2
|
|
|
9d7d3f |
.RE
|
|
|
9d7d3f |
.IP CURLOPT_SSL_VERIFYPEER
|
|
|
9d7d3f |
Pass a long as parameter. By default, curl assumes a value of 1.
|
|
|
9d7d3f |
diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
|
|
|
9d7d3f |
index 37b5e27..57fa6eb 100644
|
|
|
9d7d3f |
--- a/docs/libcurl/symbols-in-versions
|
|
|
9d7d3f |
+++ b/docs/libcurl/symbols-in-versions
|
|
|
9d7d3f |
@@ -678,6 +678,9 @@ CURL_SSLVERSION_DEFAULT 7.9.2
|
|
|
9d7d3f |
CURL_SSLVERSION_SSLv2 7.9.2
|
|
|
9d7d3f |
CURL_SSLVERSION_SSLv3 7.9.2
|
|
|
9d7d3f |
CURL_SSLVERSION_TLSv1 7.9.2
|
|
|
9d7d3f |
+CURL_SSLVERSION_TLSv1_0 7.33.0
|
|
|
9d7d3f |
+CURL_SSLVERSION_TLSv1_1 7.33.0
|
|
|
9d7d3f |
+CURL_SSLVERSION_TLSv1_2 7.33.0
|
|
|
9d7d3f |
CURL_TIMECOND_IFMODSINCE 7.9.7
|
|
|
9d7d3f |
CURL_TIMECOND_IFUNMODSINCE 7.9.7
|
|
|
9d7d3f |
CURL_TIMECOND_LASTMOD 7.9.7
|
|
|
9d7d3f |
diff --git a/include/curl/curl.h b/include/curl/curl.h
|
|
|
9d7d3f |
index 80e4cf5..8e548e3 100644
|
|
|
9d7d3f |
--- a/include/curl/curl.h
|
|
|
9d7d3f |
+++ b/include/curl/curl.h
|
|
|
9d7d3f |
@@ -1625,9 +1625,12 @@ enum CURL_NETRC_OPTION {
|
|
|
9d7d3f |
|
|
|
9d7d3f |
enum {
|
|
|
9d7d3f |
CURL_SSLVERSION_DEFAULT,
|
|
|
9d7d3f |
- CURL_SSLVERSION_TLSv1,
|
|
|
9d7d3f |
+ CURL_SSLVERSION_TLSv1, /* TLS 1.x */
|
|
|
9d7d3f |
CURL_SSLVERSION_SSLv2,
|
|
|
9d7d3f |
CURL_SSLVERSION_SSLv3,
|
|
|
9d7d3f |
+ CURL_SSLVERSION_TLSv1_0,
|
|
|
9d7d3f |
+ CURL_SSLVERSION_TLSv1_1,
|
|
|
9d7d3f |
+ CURL_SSLVERSION_TLSv1_2,
|
|
|
9d7d3f |
|
|
|
9d7d3f |
CURL_SSLVERSION_LAST /* never use, keep last */
|
|
|
9d7d3f |
};
|
|
|
9d7d3f |
diff --git a/lib/axtls.c b/lib/axtls.c
|
|
|
9d7d3f |
index d512950..68794b5 100644
|
|
|
9d7d3f |
--- a/lib/axtls.c
|
|
|
9d7d3f |
+++ b/lib/axtls.c
|
|
|
9d7d3f |
@@ -169,7 +169,8 @@ Curl_axtls_connect(struct connectdata *conn,
|
|
|
9d7d3f |
case CURL_SSLVERSION_TLSv1:
|
|
|
9d7d3f |
break;
|
|
|
9d7d3f |
default:
|
|
|
9d7d3f |
- failf(data, "axTLS only supports TLSv1");
|
|
|
9d7d3f |
+ failf(data, "axTLS only supports TLS 1.0 and 1.1, "
|
|
|
9d7d3f |
+ "and it cannot be specified which one to use");
|
|
|
9d7d3f |
return CURLE_SSL_CONNECT_ERROR;
|
|
|
9d7d3f |
}
|
|
|
9d7d3f |
|
|
|
9d7d3f |
diff --git a/lib/curl_darwinssl.c b/lib/curl_darwinssl.c
|
|
|
9d7d3f |
index 827c876..69eff8a 100644
|
|
|
9d7d3f |
--- a/lib/curl_darwinssl.c
|
|
|
9d7d3f |
+++ b/lib/curl_darwinssl.c
|
|
|
9d7d3f |
@@ -719,6 +719,18 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
|
|
|
9d7d3f |
(void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol1);
|
|
|
9d7d3f |
(void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol12);
|
|
|
9d7d3f |
break;
|
|
|
9d7d3f |
+ case CURL_SSLVERSION_TLSv1_0:
|
|
|
9d7d3f |
+ (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol1);
|
|
|
9d7d3f |
+ (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol1);
|
|
|
9d7d3f |
+ break;
|
|
|
9d7d3f |
+ case CURL_SSLVERSION_TLSv1_1:
|
|
|
9d7d3f |
+ (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol11);
|
|
|
9d7d3f |
+ (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol11);
|
|
|
9d7d3f |
+ break;
|
|
|
9d7d3f |
+ case CURL_SSLVERSION_TLSv1_2:
|
|
|
9d7d3f |
+ (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol12);
|
|
|
9d7d3f |
+ (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol12);
|
|
|
9d7d3f |
+ break;
|
|
|
9d7d3f |
case CURL_SSLVERSION_SSLv3:
|
|
|
9d7d3f |
(void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kSSLProtocol3);
|
|
|
9d7d3f |
(void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kSSLProtocol3);
|
|
|
9d7d3f |
@@ -759,6 +771,21 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
|
|
|
9d7d3f |
kTLSProtocol12,
|
|
|
9d7d3f |
true);
|
|
|
9d7d3f |
break;
|
|
|
9d7d3f |
+ case CURL_SSLVERSION_TLSv1_0:
|
|
|
9d7d3f |
+ (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
|
|
|
9d7d3f |
+ kTLSProtocol1,
|
|
|
9d7d3f |
+ true);
|
|
|
9d7d3f |
+ break;
|
|
|
9d7d3f |
+ case CURL_SSLVERSION_TLSv1_1:
|
|
|
9d7d3f |
+ (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
|
|
|
9d7d3f |
+ kTLSProtocol11,
|
|
|
9d7d3f |
+ true);
|
|
|
9d7d3f |
+ break;
|
|
|
9d7d3f |
+ case CURL_SSLVERSION_TLSv1_2:
|
|
|
9d7d3f |
+ (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
|
|
|
9d7d3f |
+ kTLSProtocol12,
|
|
|
9d7d3f |
+ true);
|
|
|
9d7d3f |
+ break;
|
|
|
9d7d3f |
case CURL_SSLVERSION_SSLv3:
|
|
|
9d7d3f |
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
|
|
|
9d7d3f |
kSSLProtocol3,
|
|
|
9d7d3f |
@@ -785,10 +812,17 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
|
|
|
9d7d3f |
true);
|
|
|
9d7d3f |
break;
|
|
|
9d7d3f |
case CURL_SSLVERSION_TLSv1:
|
|
|
9d7d3f |
+ case CURL_SSLVERSION_TLSv1_0:
|
|
|
9d7d3f |
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
|
|
|
9d7d3f |
kTLSProtocol1,
|
|
|
9d7d3f |
true);
|
|
|
9d7d3f |
break;
|
|
|
9d7d3f |
+ case CURL_SSLVERSION_TLSv1_1:
|
|
|
9d7d3f |
+ failf(data, "Your version of the OS does not support TLSv1.1");
|
|
|
9d7d3f |
+ return CURLE_SSL_CONNECT_ERROR;
|
|
|
9d7d3f |
+ case CURL_SSLVERSION_TLSv1_2:
|
|
|
9d7d3f |
+ failf(data, "Your version of the OS does not support TLSv1.2");
|
|
|
9d7d3f |
+ return CURLE_SSL_CONNECT_ERROR;
|
|
|
9d7d3f |
case CURL_SSLVERSION_SSLv2:
|
|
|
9d7d3f |
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
|
|
|
9d7d3f |
kSSLProtocol2,
|
|
|
9d7d3f |
diff --git a/lib/curl_schannel.c b/lib/curl_schannel.c
|
|
|
9d7d3f |
index a615f57..19b7f71 100644
|
|
|
9d7d3f |
--- a/lib/curl_schannel.c
|
|
|
9d7d3f |
+++ b/lib/curl_schannel.c
|
|
|
9d7d3f |
@@ -180,6 +180,15 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
|
|
|
9d7d3f |
SP_PROT_TLS1_1_CLIENT |
|
|
|
9d7d3f |
SP_PROT_TLS1_2_CLIENT;
|
|
|
9d7d3f |
break;
|
|
|
9d7d3f |
+ case CURL_SSLVERSION_TLSv1_0:
|
|
|
9d7d3f |
+ schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_0_CLIENT;
|
|
|
9d7d3f |
+ break;
|
|
|
9d7d3f |
+ case CURL_SSLVERSION_TLSv1_1:
|
|
|
9d7d3f |
+ schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_1_CLIENT;
|
|
|
9d7d3f |
+ break;
|
|
|
9d7d3f |
+ case CURL_SSLVERSION_TLSv1_2:
|
|
|
9d7d3f |
+ schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_2_CLIENT;
|
|
|
9d7d3f |
+ break;
|
|
|
9d7d3f |
case CURL_SSLVERSION_SSLv3:
|
|
|
9d7d3f |
schannel_cred.grbitEnabledProtocols = SP_PROT_SSL3_CLIENT;
|
|
|
9d7d3f |
break;
|
|
|
9d7d3f |
diff --git a/lib/cyassl.c b/lib/cyassl.c
|
|
|
9d7d3f |
index 7c78464..ff11bdd 100644
|
|
|
9d7d3f |
--- a/lib/cyassl.c
|
|
|
9d7d3f |
+++ b/lib/cyassl.c
|
|
|
9d7d3f |
@@ -5,7 +5,7 @@
|
|
|
9d7d3f |
* | (__| |_| | _ <| |___
|
|
|
9d7d3f |
* \___|\___/|_| \_\_____|
|
|
|
9d7d3f |
*
|
|
|
9d7d3f |
- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
|
|
|
9d7d3f |
+ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
|
|
|
9d7d3f |
*
|
|
|
9d7d3f |
* This software is licensed as described in the file COPYING, which
|
|
|
9d7d3f |
* you should have received as part of this distribution. The terms
|
|
|
9d7d3f |
@@ -98,8 +98,19 @@ cyassl_connect_step1(struct connectdata *conn,
|
|
|
9d7d3f |
req_method = SSLv23_client_method();
|
|
|
9d7d3f |
break;
|
|
|
9d7d3f |
case CURL_SSLVERSION_TLSv1:
|
|
|
9d7d3f |
+ infof(data, "CyaSSL cannot be configured to use TLS 1.0-1.2, "
|
|
|
9d7d3f |
+ "TLS 1.0 is used exclusively\n");
|
|
|
9d7d3f |
req_method = TLSv1_client_method();
|
|
|
9d7d3f |
break;
|
|
|
9d7d3f |
+ case CURL_SSLVERSION_TLSv1_0:
|
|
|
9d7d3f |
+ req_method = TLSv1_client_method();
|
|
|
9d7d3f |
+ break;
|
|
|
9d7d3f |
+ case CURL_SSLVERSION_TLSv1_1:
|
|
|
9d7d3f |
+ req_method = TLSv1_1_client_method();
|
|
|
9d7d3f |
+ break;
|
|
|
9d7d3f |
+ case CURL_SSLVERSION_TLSv1_2:
|
|
|
9d7d3f |
+ req_method = TLSv1_2_client_method();
|
|
|
9d7d3f |
+ break;
|
|
|
9d7d3f |
case CURL_SSLVERSION_SSLv3:
|
|
|
9d7d3f |
req_method = SSLv3_client_method();
|
|
|
9d7d3f |
break;
|
|
|
9d7d3f |
diff --git a/lib/nss.c b/lib/nss.c
|
|
|
9d7d3f |
index 111982f..ff93a38 100644
|
|
|
9d7d3f |
--- a/lib/nss.c
|
|
|
9d7d3f |
+++ b/lib/nss.c
|
|
|
9d7d3f |
@@ -1266,6 +1266,12 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
|
|
|
9d7d3f |
case CURL_SSLVERSION_SSLv3:
|
|
|
9d7d3f |
ssl3 = PR_TRUE;
|
|
|
9d7d3f |
break;
|
|
|
9d7d3f |
+ case CURL_SSLVERSION_TLSv1_0:
|
|
|
9d7d3f |
+ case CURL_SSLVERSION_TLSv1_1:
|
|
|
9d7d3f |
+ case CURL_SSLVERSION_TLSv1_2:
|
|
|
9d7d3f |
+ failf(data, "TLS minor version cannot be set\n");
|
|
|
9d7d3f |
+ curlerr = CURLE_SSL_CONNECT_ERROR;
|
|
|
9d7d3f |
+ goto error;
|
|
|
9d7d3f |
}
|
|
|
9d7d3f |
|
|
|
9d7d3f |
if(SSL_OptionSet(model, SSL_ENABLE_SSL2, ssl2) != SECSuccess)
|
|
|
9d7d3f |
diff --git a/lib/qssl.c b/lib/qssl.c
|
|
|
9d7d3f |
index 8ef6fec..8b5e499 100644
|
|
|
9d7d3f |
--- a/lib/qssl.c
|
|
|
9d7d3f |
+++ b/lib/qssl.c
|
|
|
9d7d3f |
@@ -206,6 +206,12 @@ static CURLcode Curl_qsossl_handshake(struct connectdata * conn, int sockindex)
|
|
|
9d7d3f |
case CURL_SSLVERSION_SSLv3:
|
|
|
9d7d3f |
h->protocol = SSL_VERSION_3;
|
|
|
9d7d3f |
break;
|
|
|
9d7d3f |
+
|
|
|
9d7d3f |
+ case CURL_SSLVERSION_TLSv1_0:
|
|
|
9d7d3f |
+ case CURL_SSLVERSION_TLSv1_1:
|
|
|
9d7d3f |
+ case CURL_SSLVERSION_TLSv1_2:
|
|
|
9d7d3f |
+ failf(data, "TLS minor version cannot be set");
|
|
|
9d7d3f |
+ return CURLE_SSL_CONNECT_ERROR;
|
|
|
9d7d3f |
}
|
|
|
9d7d3f |
|
|
|
9d7d3f |
rc = SSL_Handshake(h, SSL_HANDSHAKE_AS_CLIENT);
|
|
|
9d7d3f |
diff --git a/lib/ssluse.c b/lib/ssluse.c
|
|
|
9d7d3f |
index 4a0dba7..dd99435 100644
|
|
|
9d7d3f |
--- a/lib/ssluse.c
|
|
|
9d7d3f |
+++ b/lib/ssluse.c
|
|
|
9d7d3f |
@@ -1389,19 +1389,12 @@ ossl_connect_step1(struct connectdata *conn,
|
|
|
9d7d3f |
switch(data->set.ssl.version) {
|
|
|
9d7d3f |
default:
|
|
|
9d7d3f |
case CURL_SSLVERSION_DEFAULT:
|
|
|
9d7d3f |
-#ifdef USE_TLS_SRP
|
|
|
9d7d3f |
- if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
|
|
|
9d7d3f |
- infof(data, "Set version TLSv1 for SRP authorisation\n");
|
|
|
9d7d3f |
- req_method = TLSv1_client_method() ;
|
|
|
9d7d3f |
- }
|
|
|
9d7d3f |
- else
|
|
|
9d7d3f |
-#endif
|
|
|
9d7d3f |
- /* we try to figure out version */
|
|
|
9d7d3f |
- req_method = SSLv23_client_method();
|
|
|
9d7d3f |
- use_sni(TRUE);
|
|
|
9d7d3f |
- break;
|
|
|
9d7d3f |
case CURL_SSLVERSION_TLSv1:
|
|
|
9d7d3f |
- req_method = TLSv1_client_method();
|
|
|
9d7d3f |
+ case CURL_SSLVERSION_TLSv1_0:
|
|
|
9d7d3f |
+ case CURL_SSLVERSION_TLSv1_1:
|
|
|
9d7d3f |
+ case CURL_SSLVERSION_TLSv1_2:
|
|
|
9d7d3f |
+ /* it will be handled later with the context options */
|
|
|
9d7d3f |
+ req_method = SSLv23_client_method();
|
|
|
9d7d3f |
use_sni(TRUE);
|
|
|
9d7d3f |
break;
|
|
|
9d7d3f |
case CURL_SSLVERSION_SSLv2:
|
|
|
9d7d3f |
@@ -1514,9 +1507,39 @@ ossl_connect_step1(struct connectdata *conn,
|
|
|
9d7d3f |
ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
|
|
|
9d7d3f |
#endif
|
|
|
9d7d3f |
|
|
|
9d7d3f |
- /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */
|
|
|
9d7d3f |
- if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT)
|
|
|
9d7d3f |
+ switch(data->set.ssl.version) {
|
|
|
9d7d3f |
+ case CURL_SSLVERSION_DEFAULT:
|
|
|
9d7d3f |
+ ctx_options |= SSL_OP_NO_SSLv2;
|
|
|
9d7d3f |
+#ifdef USE_TLS_SRP
|
|
|
9d7d3f |
+ if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
|
|
|
9d7d3f |
+ infof(data, "Set version TLSv1.x for SRP authorisation\n");
|
|
|
9d7d3f |
+ ctx_options |= SSL_OP_NO_SSLv3;
|
|
|
9d7d3f |
+ }
|
|
|
9d7d3f |
+#endif
|
|
|
9d7d3f |
+ break;
|
|
|
9d7d3f |
+ case CURL_SSLVERSION_TLSv1:
|
|
|
9d7d3f |
+ ctx_options |= SSL_OP_NO_SSLv2;
|
|
|
9d7d3f |
+ ctx_options |= SSL_OP_NO_SSLv3;
|
|
|
9d7d3f |
+ break;
|
|
|
9d7d3f |
+ case CURL_SSLVERSION_TLSv1_0:
|
|
|
9d7d3f |
ctx_options |= SSL_OP_NO_SSLv2;
|
|
|
9d7d3f |
+ ctx_options |= SSL_OP_NO_SSLv3;
|
|
|
9d7d3f |
+ ctx_options |= SSL_OP_NO_TLSv1_1;
|
|
|
9d7d3f |
+ ctx_options |= SSL_OP_NO_TLSv1_2;
|
|
|
9d7d3f |
+ break;
|
|
|
9d7d3f |
+ case CURL_SSLVERSION_TLSv1_1:
|
|
|
9d7d3f |
+ ctx_options |= SSL_OP_NO_SSLv2;
|
|
|
9d7d3f |
+ ctx_options |= SSL_OP_NO_SSLv3;
|
|
|
9d7d3f |
+ ctx_options |= SSL_OP_NO_TLSv1;
|
|
|
9d7d3f |
+ ctx_options |= SSL_OP_NO_TLSv1_2;
|
|
|
9d7d3f |
+ break;
|
|
|
9d7d3f |
+ case CURL_SSLVERSION_TLSv1_2:
|
|
|
9d7d3f |
+ ctx_options |= SSL_OP_NO_SSLv2;
|
|
|
9d7d3f |
+ ctx_options |= SSL_OP_NO_SSLv3;
|
|
|
9d7d3f |
+ ctx_options |= SSL_OP_NO_TLSv1;
|
|
|
9d7d3f |
+ ctx_options |= SSL_OP_NO_TLSv1_1;
|
|
|
9d7d3f |
+ break;
|
|
|
9d7d3f |
+ }
|
|
|
9d7d3f |
|
|
|
9d7d3f |
SSL_CTX_set_options(connssl->ctx, ctx_options);
|
|
|
9d7d3f |
|
|
|
9d7d3f |
diff --git a/packages/OS400/curl.inc.in b/packages/OS400/curl.inc.in
|
|
|
9d7d3f |
index 33ca12a..22a5511 100644
|
|
|
9d7d3f |
--- a/packages/OS400/curl.inc.in
|
|
|
9d7d3f |
+++ b/packages/OS400/curl.inc.in
|
|
|
9d7d3f |
@@ -226,6 +226,12 @@
|
|
|
9d7d3f |
d c 2
|
|
|
9d7d3f |
d CURL_SSLVERSION_SSLv3...
|
|
|
9d7d3f |
d c 3
|
|
|
9d7d3f |
+ d CURL_SSLVERSION_TLSv1_0...
|
|
|
9d7d3f |
+ d c 4
|
|
|
9d7d3f |
+ d CURL_SSLVERSION_TLSv1_1...
|
|
|
9d7d3f |
+ d c 5
|
|
|
9d7d3f |
+ d CURL_SSLVERSION_TLSv1_2...
|
|
|
9d7d3f |
+ d c 6
|
|
|
9d7d3f |
*
|
|
|
9d7d3f |
d CURL_TLSAUTH_NONE...
|
|
|
9d7d3f |
d c 0
|
|
|
9d7d3f |
diff --git a/src/tool_getparam.c b/src/tool_getparam.c
|
|
|
9d7d3f |
index 297b986..98d53a7 100644
|
|
|
9d7d3f |
--- a/src/tool_getparam.c
|
|
|
9d7d3f |
+++ b/src/tool_getparam.c
|
|
|
9d7d3f |
@@ -175,6 +175,9 @@ static const struct LongShort aliases[]= {
|
|
|
9d7d3f |
{"$J", "metalink", FALSE},
|
|
|
9d7d3f |
{"0", "http1.0", FALSE},
|
|
|
9d7d3f |
{"1", "tlsv1", FALSE},
|
|
|
9d7d3f |
+ {"10", "tlsv1.0", FALSE},
|
|
|
9d7d3f |
+ {"11", "tlsv1.1", FALSE},
|
|
|
9d7d3f |
+ {"12", "tlsv1.2", FALSE},
|
|
|
9d7d3f |
{"2", "sslv2", FALSE},
|
|
|
9d7d3f |
{"3", "sslv3", FALSE},
|
|
|
9d7d3f |
{"4", "ipv4", FALSE},
|
|
|
9d7d3f |
@@ -873,9 +876,25 @@ ParameterError getparameter(char *flag, /* f or -long-flag */
|
|
|
9d7d3f |
/* HTTP version 1.0 */
|
|
|
9d7d3f |
config->httpversion = CURL_HTTP_VERSION_1_0;
|
|
|
9d7d3f |
break;
|
|
|
9d7d3f |
- case '1':
|
|
|
9d7d3f |
- /* TLS version 1 */
|
|
|
9d7d3f |
- config->ssl_version = CURL_SSLVERSION_TLSv1;
|
|
|
9d7d3f |
+ case '1': /* --tlsv1* options */
|
|
|
9d7d3f |
+ switch(subletter) {
|
|
|
9d7d3f |
+ case '\0':
|
|
|
9d7d3f |
+ /* TLS version 1.x */
|
|
|
9d7d3f |
+ config->ssl_version = CURL_SSLVERSION_TLSv1;
|
|
|
9d7d3f |
+ break;
|
|
|
9d7d3f |
+ case '0':
|
|
|
9d7d3f |
+ /* TLS version 1.0 */
|
|
|
9d7d3f |
+ config->ssl_version = CURL_SSLVERSION_TLSv1_0;
|
|
|
9d7d3f |
+ break;
|
|
|
9d7d3f |
+ case '1':
|
|
|
9d7d3f |
+ /* TLS version 1.1 */
|
|
|
9d7d3f |
+ config->ssl_version = CURL_SSLVERSION_TLSv1_1;
|
|
|
9d7d3f |
+ break;
|
|
|
9d7d3f |
+ case '2':
|
|
|
9d7d3f |
+ /* TLS version 1.2 */
|
|
|
9d7d3f |
+ config->ssl_version = CURL_SSLVERSION_TLSv1_2;
|
|
|
9d7d3f |
+ break;
|
|
|
9d7d3f |
+ }
|
|
|
9d7d3f |
break;
|
|
|
9d7d3f |
case '2':
|
|
|
9d7d3f |
/* SSL version 2 */
|
|
|
9d7d3f |
diff --git a/src/tool_setopt.c b/src/tool_setopt.c
|
|
|
9d7d3f |
index 4014177..9860117 100644
|
|
|
9d7d3f |
--- a/src/tool_setopt.c
|
|
|
9d7d3f |
+++ b/src/tool_setopt.c
|
|
|
9d7d3f |
@@ -78,6 +78,9 @@ const NameValue setopt_nv_CURL_SSLVERSION[] = {
|
|
|
9d7d3f |
NV(CURL_SSLVERSION_TLSv1),
|
|
|
9d7d3f |
NV(CURL_SSLVERSION_SSLv2),
|
|
|
9d7d3f |
NV(CURL_SSLVERSION_SSLv3),
|
|
|
9d7d3f |
+ NV(CURL_SSLVERSION_TLSv1_0),
|
|
|
9d7d3f |
+ NV(CURL_SSLVERSION_TLSv1_1),
|
|
|
9d7d3f |
+ NV(CURL_SSLVERSION_TLSv1_2),
|
|
|
9d7d3f |
NVEND,
|
|
|
9d7d3f |
};
|
|
|
9d7d3f |
|
|
|
9d7d3f |
--
|
|
|
9d7d3f |
1.7.1
|
|
|
9d7d3f |
|
|
|
9d7d3f |
|
|
|
9d7d3f |
From 350765306d7e2946fc8295fa2bfc2fe0c14651fc Mon Sep 17 00:00:00 2001
|
|
|
9d7d3f |
From: Daniel Stenberg <daniel@haxx.se>
|
|
|
9d7d3f |
Date: Tue, 15 Oct 2013 20:31:04 +0200
|
|
|
9d7d3f |
Subject: [PATCH 2/9] curl: document the new --tlsv1.[012] options
|
|
|
9d7d3f |
|
|
|
9d7d3f |
[upstream commit 076726f1412205622414abd908723c4b33ca12cb]
|
|
|
9d7d3f |
---
|
|
|
9d7d3f |
docs/curl.1 | 20 ++++++++++++++++----
|
|
|
9d7d3f |
1 files changed, 16 insertions(+), 4 deletions(-)
|
|
|
9d7d3f |
|
|
|
9d7d3f |
diff --git a/docs/curl.1 b/docs/curl.1
|
|
|
9d7d3f |
index b350865..53b378c 100644
|
|
|
9d7d3f |
--- a/docs/curl.1
|
|
|
9d7d3f |
+++ b/docs/curl.1
|
|
|
9d7d3f |
@@ -1419,14 +1419,26 @@ Set TLS authentication type. Currently, the only supported option is "SRP",
|
|
|
9d7d3f |
for TLS-SRP (RFC 5054). If \fI--tlsuser\fP and \fI--tlspassword\fP are
|
|
|
9d7d3f |
specified but \fI--tlsauthtype\fP is not, then this option defaults to "SRP".
|
|
|
9d7d3f |
(Added in 7.21.4)
|
|
|
9d7d3f |
-.IP "--tlsuser <user>"
|
|
|
9d7d3f |
-Set username for use with the TLS authentication method specified with
|
|
|
9d7d3f |
-\fI--tlsauthtype\fP. Requires that \fI--tlspassword\fP also be set. (Added in
|
|
|
9d7d3f |
-7.21.4)
|
|
|
9d7d3f |
.IP "--tlspassword <password>"
|
|
|
9d7d3f |
Set password for use with the TLS authentication method specified with
|
|
|
9d7d3f |
\fI--tlsauthtype\fP. Requires that \fI--tlsuser\fP also be set. (Added in
|
|
|
9d7d3f |
7.21.4)
|
|
|
9d7d3f |
+.IP "--tlsuser <user>"
|
|
|
9d7d3f |
+Set username for use with the TLS authentication method specified with
|
|
|
9d7d3f |
+\fI--tlsauthtype\fP. Requires that \fI--tlspassword\fP also be set. (Added in
|
|
|
9d7d3f |
+7.21.4)
|
|
|
9d7d3f |
+.IP "--tlsv1.0"
|
|
|
9d7d3f |
+(SSL)
|
|
|
9d7d3f |
+Forces curl to use TLS version 1.0 when negotiating with a remote TLS server.
|
|
|
9d7d3f |
+(Added in 7.34.0)
|
|
|
9d7d3f |
+.IP "--tlsv1.1"
|
|
|
9d7d3f |
+(SSL)
|
|
|
9d7d3f |
+Forces curl to use TLS version 1.1 when negotiating with a remote TLS server.
|
|
|
9d7d3f |
+(Added in 7.34.0)
|
|
|
9d7d3f |
+.IP "--tlsv1.2"
|
|
|
9d7d3f |
+(SSL)
|
|
|
9d7d3f |
+Forces curl to use TLS version 1.2 when negotiating with a remote TLS server.
|
|
|
9d7d3f |
+(Added in 7.34.0)
|
|
|
9d7d3f |
.IP "--tr-encoding"
|
|
|
9d7d3f |
(HTTP) Request a compressed Transfer-Encoding response using one of the
|
|
|
9d7d3f |
algorithms curl supports, and uncompress the data while receiving it.
|
|
|
9d7d3f |
--
|
|
|
9d7d3f |
1.7.1
|
|
|
9d7d3f |
|
|
|
9d7d3f |
|
|
|
9d7d3f |
From ba2b4e87b396faab9ccb5a3ca9aca935a7a78a1b Mon Sep 17 00:00:00 2001
|
|
|
9d7d3f |
From: Steve Holme <steve_holme@hotmail.com>
|
|
|
9d7d3f |
Date: Wed, 16 Oct 2013 20:06:23 +0100
|
|
|
9d7d3f |
Subject: [PATCH 3/9] SSL: Corrected version number for new symbols from commit ad34a2d5c87c7f
|
|
|
9d7d3f |
|
|
|
9d7d3f |
[upstream commit 2c84ffe1549ea7d5029ba7863f53013562e6758d]
|
|
|
9d7d3f |
---
|
|
|
9d7d3f |
docs/libcurl/symbols-in-versions | 6 +++---
|
|
|
9d7d3f |
1 files changed, 3 insertions(+), 3 deletions(-)
|
|
|
9d7d3f |
|
|
|
9d7d3f |
diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
|
|
|
9d7d3f |
index 57fa6eb..b275900 100644
|
|
|
9d7d3f |
--- a/docs/libcurl/symbols-in-versions
|
|
|
9d7d3f |
+++ b/docs/libcurl/symbols-in-versions
|
|
|
9d7d3f |
@@ -678,9 +678,9 @@ CURL_SSLVERSION_DEFAULT 7.9.2
|
|
|
9d7d3f |
CURL_SSLVERSION_SSLv2 7.9.2
|
|
|
9d7d3f |
CURL_SSLVERSION_SSLv3 7.9.2
|
|
|
9d7d3f |
CURL_SSLVERSION_TLSv1 7.9.2
|
|
|
9d7d3f |
-CURL_SSLVERSION_TLSv1_0 7.33.0
|
|
|
9d7d3f |
-CURL_SSLVERSION_TLSv1_1 7.33.0
|
|
|
9d7d3f |
-CURL_SSLVERSION_TLSv1_2 7.33.0
|
|
|
9d7d3f |
+CURL_SSLVERSION_TLSv1_0 7.34.0
|
|
|
9d7d3f |
+CURL_SSLVERSION_TLSv1_1 7.34.0
|
|
|
9d7d3f |
+CURL_SSLVERSION_TLSv1_2 7.34.0
|
|
|
9d7d3f |
CURL_TIMECOND_IFMODSINCE 7.9.7
|
|
|
9d7d3f |
CURL_TIMECOND_IFUNMODSINCE 7.9.7
|
|
|
9d7d3f |
CURL_TIMECOND_LASTMOD 7.9.7
|
|
|
9d7d3f |
--
|
|
|
9d7d3f |
1.7.1
|
|
|
9d7d3f |
|
|
|
9d7d3f |
|
|
|
9d7d3f |
From 5f908139b4e56c969bf6ef06c115a0a12353c827 Mon Sep 17 00:00:00 2001
|
|
|
9d7d3f |
From: Steve Holme <steve_holme@hotmail.com>
|
|
|
9d7d3f |
Date: Wed, 16 Oct 2013 20:18:15 +0100
|
|
|
9d7d3f |
Subject: [PATCH 4/9] DOCS: Added libcurl version number to CURLOPT_SSLVERSION
|
|
|
9d7d3f |
|
|
|
9d7d3f |
[upstream commit 75b9b26465d5f01b52564293c2d553649f801f70]
|
|
|
9d7d3f |
---
|
|
|
9d7d3f |
docs/libcurl/curl_easy_setopt.3 | 8 +++++---
|
|
|
9d7d3f |
1 files changed, 5 insertions(+), 3 deletions(-)
|
|
|
9d7d3f |
|
|
|
9d7d3f |
diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3
|
|
|
9d7d3f |
index 92db8f4..d73b664 100644
|
|
|
9d7d3f |
--- a/docs/libcurl/curl_easy_setopt.3
|
|
|
9d7d3f |
+++ b/docs/libcurl/curl_easy_setopt.3
|
|
|
9d7d3f |
@@ -2212,6 +2212,8 @@ Even though this option doesn't need any parameter, in some configurations
|
|
|
9d7d3f |
arguments. Therefore, it's recommended to pass 1 as parameter to this option.
|
|
|
9d7d3f |
.IP CURLOPT_SSLVERSION
|
|
|
9d7d3f |
Pass a long as parameter to control what version of SSL/TLS to attempt to use.
|
|
|
9d7d3f |
+(Added in 7.9.2)
|
|
|
9d7d3f |
+
|
|
|
9d7d3f |
The available options are:
|
|
|
9d7d3f |
.RS
|
|
|
9d7d3f |
.IP CURL_SSLVERSION_DEFAULT
|
|
|
9d7d3f |
@@ -2225,11 +2227,11 @@ Force SSLv2
|
|
|
9d7d3f |
.IP CURL_SSLVERSION_SSLv3
|
|
|
9d7d3f |
Force SSLv3
|
|
|
9d7d3f |
.IP CURL_SSLVERSION_TLSv1_0
|
|
|
9d7d3f |
-Force TLSv1.0
|
|
|
9d7d3f |
+Force TLSv1.0 (Added in 7.34.0)
|
|
|
9d7d3f |
.IP CURL_SSLVERSION_TLSv1_1
|
|
|
9d7d3f |
-Force TLSv1.1
|
|
|
9d7d3f |
+Force TLSv1.1 (Added in 7.34.0)
|
|
|
9d7d3f |
.IP CURL_SSLVERSION_TLSv1_2
|
|
|
9d7d3f |
-Force TLSv1.2
|
|
|
9d7d3f |
+Force TLSv1.2 (Added in 7.34.0)
|
|
|
9d7d3f |
.RE
|
|
|
9d7d3f |
.IP CURLOPT_SSL_VERIFYPEER
|
|
|
9d7d3f |
Pass a long as parameter. By default, curl assumes a value of 1.
|
|
|
9d7d3f |
--
|
|
|
9d7d3f |
1.7.1
|
|
|
9d7d3f |
|
|
|
9d7d3f |
|
|
|
9d7d3f |
From 7940044fc233f626b912b5f51a7a0111a4c145d3 Mon Sep 17 00:00:00 2001
|
|
|
9d7d3f |
From: Kamil Dudka <kdudka@redhat.com>
|
|
|
9d7d3f |
Date: Mon, 25 Nov 2013 16:03:52 +0100
|
|
|
9d7d3f |
Subject: [PATCH 5/9] nss: use a better API for controlling SSL version
|
|
|
9d7d3f |
|
|
|
9d7d3f |
This change introduces a dependency on NSS 3.14+.
|
|
|
9d7d3f |
|
|
|
9d7d3f |
[upstream commit 30e7e7552ba4397896ecac82ea04f38d52c4cc8f]
|
|
|
9d7d3f |
---
|
|
|
9d7d3f |
configure | 20 ++++++++++----------
|
|
|
9d7d3f |
configure.ac | 4 ++--
|
|
|
9d7d3f |
docs/INTERNALS | 2 +-
|
|
|
9d7d3f |
lib/nss.c | 40 +++++++++++++++++++---------------------
|
|
|
9d7d3f |
4 files changed, 32 insertions(+), 34 deletions(-)
|
|
|
9d7d3f |
|
|
|
9d7d3f |
diff --git a/configure b/configure
|
|
|
9d7d3f |
index 2496b3c..ebde78a 100755
|
|
|
9d7d3f |
--- a/configure
|
|
|
9d7d3f |
+++ b/configure
|
|
|
9d7d3f |
@@ -23641,9 +23641,9 @@ $as_echo "found" >&6; }
|
|
|
9d7d3f |
CPPFLAGS="$CPPFLAGS $addcflags"
|
|
|
9d7d3f |
fi
|
|
|
9d7d3f |
|
|
|
9d7d3f |
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PK11_CreateGenericObject in -lnss3" >&5
|
|
|
9d7d3f |
-$as_echo_n "checking for PK11_CreateGenericObject in -lnss3... " >&6; }
|
|
|
9d7d3f |
-if ${ac_cv_lib_nss3_PK11_CreateGenericObject+:} false; then :
|
|
|
9d7d3f |
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_VersionRangeSet in -lnss3" >&5
|
|
|
9d7d3f |
+$as_echo_n "checking for SSL_VersionRangeSet in -lnss3... " >&6; }
|
|
|
9d7d3f |
+if ${ac_cv_lib_nss3_SSL_VersionRangeSet+:} false; then :
|
|
|
9d7d3f |
$as_echo_n "(cached) " >&6
|
|
|
9d7d3f |
else
|
|
|
9d7d3f |
ac_check_lib_save_LIBS=$LIBS
|
|
|
9d7d3f |
@@ -23655,26 +23655,26 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
|
|
9d7d3f |
#ifdef __cplusplus
|
|
|
9d7d3f |
extern "C"
|
|
|
9d7d3f |
#endif
|
|
|
9d7d3f |
-char PK11_CreateGenericObject ();
|
|
|
9d7d3f |
+char SSL_VersionRangeSet ();
|
|
|
9d7d3f |
int main (void)
|
|
|
9d7d3f |
{
|
|
|
9d7d3f |
-return PK11_CreateGenericObject ();
|
|
|
9d7d3f |
+return SSL_VersionRangeSet ();
|
|
|
9d7d3f |
;
|
|
|
9d7d3f |
return 0;
|
|
|
9d7d3f |
}
|
|
|
9d7d3f |
_ACEOF
|
|
|
9d7d3f |
if ac_fn_c_try_link "$LINENO"; then :
|
|
|
9d7d3f |
- ac_cv_lib_nss3_PK11_CreateGenericObject=yes
|
|
|
9d7d3f |
+ ac_cv_lib_nss3_SSL_VersionRangeSet=yes
|
|
|
9d7d3f |
else
|
|
|
9d7d3f |
- ac_cv_lib_nss3_PK11_CreateGenericObject=no
|
|
|
9d7d3f |
+ ac_cv_lib_nss3_SSL_VersionRangeSet=no
|
|
|
9d7d3f |
fi
|
|
|
9d7d3f |
rm -f core conftest.err conftest.$ac_objext \
|
|
|
9d7d3f |
conftest$ac_exeext conftest.$ac_ext
|
|
|
9d7d3f |
LIBS=$ac_check_lib_save_LIBS
|
|
|
9d7d3f |
fi
|
|
|
9d7d3f |
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nss3_PK11_CreateGenericObject" >&5
|
|
|
9d7d3f |
-$as_echo "$ac_cv_lib_nss3_PK11_CreateGenericObject" >&6; }
|
|
|
9d7d3f |
-if test "x$ac_cv_lib_nss3_PK11_CreateGenericObject" = xyes; then :
|
|
|
9d7d3f |
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nss3_SSL_VersionRangeSet" >&5
|
|
|
9d7d3f |
+$as_echo "$ac_cv_lib_nss3_SSL_VersionRangeSet" >&6; }
|
|
|
9d7d3f |
+if test "x$ac_cv_lib_nss3_SSL_VersionRangeSet" = xyes; then :
|
|
|
9d7d3f |
|
|
|
9d7d3f |
|
|
|
9d7d3f |
$as_echo "#define USE_NSS 1" >>confdefs.h
|
|
|
9d7d3f |
diff --git a/configure.ac b/configure.ac
|
|
|
9d7d3f |
index 5970188..c81c879 100644
|
|
|
9d7d3f |
--- a/configure.ac
|
|
|
9d7d3f |
+++ b/configure.ac
|
|
|
9d7d3f |
@@ -2194,8 +2194,8 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then
|
|
|
9d7d3f |
CPPFLAGS="$CPPFLAGS $addcflags"
|
|
|
9d7d3f |
fi
|
|
|
9d7d3f |
|
|
|
9d7d3f |
- dnl The function PK11_CreateGenericObject is needed to load libnsspem.so
|
|
|
9d7d3f |
- AC_CHECK_LIB(nss3, PK11_CreateGenericObject,
|
|
|
9d7d3f |
+ dnl The function SSL_VersionRangeSet() is needed to enable TLS > 1.0
|
|
|
9d7d3f |
+ AC_CHECK_LIB(nss3, SSL_VersionRangeSet,
|
|
|
9d7d3f |
[
|
|
|
9d7d3f |
AC_DEFINE(USE_NSS, 1, [if NSS is enabled])
|
|
|
9d7d3f |
AC_SUBST(USE_NSS, [1])
|
|
|
9d7d3f |
diff --git a/docs/INTERNALS b/docs/INTERNALS
|
|
|
9d7d3f |
index 03839c3..581b22d 100644
|
|
|
9d7d3f |
--- a/docs/INTERNALS
|
|
|
9d7d3f |
+++ b/docs/INTERNALS
|
|
|
9d7d3f |
@@ -43,7 +43,7 @@ Portability
|
|
|
9d7d3f |
openldap 2.0
|
|
|
9d7d3f |
MIT krb5 lib 1.2.4
|
|
|
9d7d3f |
qsossl V5R2M0
|
|
|
9d7d3f |
- NSS 3.12.x
|
|
|
9d7d3f |
+ NSS 3.14.x
|
|
|
9d7d3f |
axTLS 1.2.7
|
|
|
9d7d3f |
Heimdal ?
|
|
|
9d7d3f |
|
|
|
9d7d3f |
diff --git a/lib/nss.c b/lib/nss.c
|
|
|
9d7d3f |
index ff93a38..14a0b0c 100644
|
|
|
9d7d3f |
--- a/lib/nss.c
|
|
|
9d7d3f |
+++ b/lib/nss.c
|
|
|
9d7d3f |
@@ -1175,9 +1175,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
|
|
|
9d7d3f |
{
|
|
|
9d7d3f |
PRErrorCode err = 0;
|
|
|
9d7d3f |
PRFileDesc *model = NULL;
|
|
|
9d7d3f |
- PRBool ssl2 = PR_FALSE;
|
|
|
9d7d3f |
- PRBool ssl3 = PR_FALSE;
|
|
|
9d7d3f |
- PRBool tlsv1 = PR_FALSE;
|
|
|
9d7d3f |
+ SSLVersionRange sslver;
|
|
|
9d7d3f |
PRBool ssl_no_cache;
|
|
|
9d7d3f |
PRBool ssl_cbc_random_iv;
|
|
|
9d7d3f |
struct SessionHandle *data = conn->data;
|
|
|
9d7d3f |
@@ -1251,20 +1249,25 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
|
|
|
9d7d3f |
switch (data->set.ssl.version) {
|
|
|
9d7d3f |
default:
|
|
|
9d7d3f |
case CURL_SSLVERSION_DEFAULT:
|
|
|
9d7d3f |
- ssl3 = PR_TRUE;
|
|
|
9d7d3f |
- if(data->state.ssl_connect_retry)
|
|
|
9d7d3f |
+ sslver.min = SSL_LIBRARY_VERSION_3_0;
|
|
|
9d7d3f |
+ if(data->state.ssl_connect_retry) {
|
|
|
9d7d3f |
infof(data, "TLS disabled due to previous handshake failure\n");
|
|
|
9d7d3f |
+ sslver.max = SSL_LIBRARY_VERSION_3_0;
|
|
|
9d7d3f |
+ }
|
|
|
9d7d3f |
else
|
|
|
9d7d3f |
- tlsv1 = PR_TRUE;
|
|
|
9d7d3f |
+ sslver.max = SSL_LIBRARY_VERSION_TLS_1_0;
|
|
|
9d7d3f |
break;
|
|
|
9d7d3f |
case CURL_SSLVERSION_TLSv1:
|
|
|
9d7d3f |
- tlsv1 = PR_TRUE;
|
|
|
9d7d3f |
+ sslver.min = SSL_LIBRARY_VERSION_TLS_1_0;
|
|
|
9d7d3f |
+ sslver.max = SSL_LIBRARY_VERSION_TLS_1_0;
|
|
|
9d7d3f |
break;
|
|
|
9d7d3f |
case CURL_SSLVERSION_SSLv2:
|
|
|
9d7d3f |
- ssl2 = PR_TRUE;
|
|
|
9d7d3f |
+ sslver.min = SSL_LIBRARY_VERSION_2;
|
|
|
9d7d3f |
+ sslver.max = SSL_LIBRARY_VERSION_2;
|
|
|
9d7d3f |
break;
|
|
|
9d7d3f |
case CURL_SSLVERSION_SSLv3:
|
|
|
9d7d3f |
- ssl3 = PR_TRUE;
|
|
|
9d7d3f |
+ sslver.min = SSL_LIBRARY_VERSION_3_0;
|
|
|
9d7d3f |
+ sslver.max = SSL_LIBRARY_VERSION_3_0;
|
|
|
9d7d3f |
break;
|
|
|
9d7d3f |
case CURL_SSLVERSION_TLSv1_0:
|
|
|
9d7d3f |
case CURL_SSLVERSION_TLSv1_1:
|
|
|
9d7d3f |
@@ -1274,14 +1277,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
|
|
|
9d7d3f |
goto error;
|
|
|
9d7d3f |
}
|
|
|
9d7d3f |
|
|
|
9d7d3f |
- if(SSL_OptionSet(model, SSL_ENABLE_SSL2, ssl2) != SECSuccess)
|
|
|
9d7d3f |
- goto error;
|
|
|
9d7d3f |
- if(SSL_OptionSet(model, SSL_ENABLE_SSL3, ssl3) != SECSuccess)
|
|
|
9d7d3f |
- goto error;
|
|
|
9d7d3f |
- if(SSL_OptionSet(model, SSL_ENABLE_TLS, tlsv1) != SECSuccess)
|
|
|
9d7d3f |
- goto error;
|
|
|
9d7d3f |
-
|
|
|
9d7d3f |
- if(SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, ssl2) != SECSuccess)
|
|
|
9d7d3f |
+ if(SSL_VersionRangeSet(model, &sslver) != SECSuccess)
|
|
|
9d7d3f |
goto error;
|
|
|
9d7d3f |
|
|
|
9d7d3f |
ssl_cbc_random_iv = !data->set.ssl_enable_beast;
|
|
|
9d7d3f |
@@ -1467,11 +1463,13 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
|
|
|
9d7d3f |
if(model)
|
|
|
9d7d3f |
PR_Close(model);
|
|
|
9d7d3f |
|
|
|
9d7d3f |
- /* cleanup on connection failure */
|
|
|
9d7d3f |
- Curl_llist_destroy(connssl->obj_list, NULL);
|
|
|
9d7d3f |
- connssl->obj_list = NULL;
|
|
|
9d7d3f |
+ /* cleanup on connection failure */
|
|
|
9d7d3f |
+ Curl_llist_destroy(connssl->obj_list, NULL);
|
|
|
9d7d3f |
+ connssl->obj_list = NULL;
|
|
|
9d7d3f |
|
|
|
9d7d3f |
- if(ssl3 && tlsv1 && isTLSIntoleranceError(err)) {
|
|
|
9d7d3f |
+ if((sslver.min == SSL_LIBRARY_VERSION_3_0)
|
|
|
9d7d3f |
+ && (sslver.max == SSL_LIBRARY_VERSION_TLS_1_0)
|
|
|
9d7d3f |
+ && isTLSIntoleranceError(err)) {
|
|
|
9d7d3f |
/* schedule reconnect through Curl_retry_request() */
|
|
|
9d7d3f |
data->state.ssl_connect_retry = TRUE;
|
|
|
9d7d3f |
infof(data, "Error in TLS handshake, trying SSLv3...\n");
|
|
|
9d7d3f |
--
|
|
|
9d7d3f |
1.7.1
|
|
|
9d7d3f |
|
|
|
9d7d3f |
|
|
|
9d7d3f |
From 08398e7a8a8ba4e6fef1557392e3c0104cc3550f Mon Sep 17 00:00:00 2001
|
|
|
9d7d3f |
From: Kamil Dudka <kdudka@redhat.com>
|
|
|
9d7d3f |
Date: Mon, 25 Nov 2013 16:14:55 +0100
|
|
|
9d7d3f |
Subject: [PATCH 6/9] nss: put SSL version selection into separate fnc
|
|
|
9d7d3f |
|
|
|
9d7d3f |
[upstream commit 4fb8241add5b68e95fbf44d3c2bf470201a9915d]
|
|
|
9d7d3f |
---
|
|
|
9d7d3f |
lib/nss.c | 72 +++++++++++++++++++++++++++++++++++-------------------------
|
|
|
9d7d3f |
1 files changed, 42 insertions(+), 30 deletions(-)
|
|
|
9d7d3f |
|
|
|
9d7d3f |
diff --git a/lib/nss.c b/lib/nss.c
|
|
|
9d7d3f |
index 14a0b0c..2e2240b 100644
|
|
|
9d7d3f |
--- a/lib/nss.c
|
|
|
9d7d3f |
+++ b/lib/nss.c
|
|
|
9d7d3f |
@@ -1171,6 +1171,46 @@ static CURLcode nss_load_ca_certificates(struct connectdata *conn,
|
|
|
9d7d3f |
return CURLE_OK;
|
|
|
9d7d3f |
}
|
|
|
9d7d3f |
|
|
|
9d7d3f |
+static CURLcode nss_init_sslver(SSLVersionRange *sslver,
|
|
|
9d7d3f |
+ struct SessionHandle *data)
|
|
|
9d7d3f |
+{
|
|
|
9d7d3f |
+ switch (data->set.ssl.version) {
|
|
|
9d7d3f |
+ default:
|
|
|
9d7d3f |
+ case CURL_SSLVERSION_DEFAULT:
|
|
|
9d7d3f |
+ sslver->min = SSL_LIBRARY_VERSION_3_0;
|
|
|
9d7d3f |
+ if(data->state.ssl_connect_retry) {
|
|
|
9d7d3f |
+ infof(data, "TLS disabled due to previous handshake failure\n");
|
|
|
9d7d3f |
+ sslver->max = SSL_LIBRARY_VERSION_3_0;
|
|
|
9d7d3f |
+ }
|
|
|
9d7d3f |
+ else
|
|
|
9d7d3f |
+ sslver->max = SSL_LIBRARY_VERSION_TLS_1_0;
|
|
|
9d7d3f |
+ return CURLE_OK;
|
|
|
9d7d3f |
+
|
|
|
9d7d3f |
+ case CURL_SSLVERSION_TLSv1:
|
|
|
9d7d3f |
+ sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
|
|
|
9d7d3f |
+ sslver->max = SSL_LIBRARY_VERSION_TLS_1_0;
|
|
|
9d7d3f |
+ return CURLE_OK;
|
|
|
9d7d3f |
+
|
|
|
9d7d3f |
+ case CURL_SSLVERSION_SSLv2:
|
|
|
9d7d3f |
+ sslver->min = SSL_LIBRARY_VERSION_2;
|
|
|
9d7d3f |
+ sslver->max = SSL_LIBRARY_VERSION_2;
|
|
|
9d7d3f |
+ return CURLE_OK;
|
|
|
9d7d3f |
+
|
|
|
9d7d3f |
+ case CURL_SSLVERSION_SSLv3:
|
|
|
9d7d3f |
+ sslver->min = SSL_LIBRARY_VERSION_3_0;
|
|
|
9d7d3f |
+ sslver->max = SSL_LIBRARY_VERSION_3_0;
|
|
|
9d7d3f |
+ return CURLE_OK;
|
|
|
9d7d3f |
+
|
|
|
9d7d3f |
+ case CURL_SSLVERSION_TLSv1_0:
|
|
|
9d7d3f |
+ case CURL_SSLVERSION_TLSv1_1:
|
|
|
9d7d3f |
+ case CURL_SSLVERSION_TLSv1_2:
|
|
|
9d7d3f |
+ break;
|
|
|
9d7d3f |
+ }
|
|
|
9d7d3f |
+
|
|
|
9d7d3f |
+ failf(data, "TLS minor version cannot be set");
|
|
|
9d7d3f |
+ return CURLE_SSL_CONNECT_ERROR;
|
|
|
9d7d3f |
+}
|
|
|
9d7d3f |
+
|
|
|
9d7d3f |
CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
|
|
|
9d7d3f |
{
|
|
|
9d7d3f |
PRErrorCode err = 0;
|
|
|
9d7d3f |
@@ -1246,37 +1286,9 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
|
|
|
9d7d3f |
if(SSL_OptionSet(model, SSL_NO_CACHE, ssl_no_cache) != SECSuccess)
|
|
|
9d7d3f |
goto error;
|
|
|
9d7d3f |
|
|
|
9d7d3f |
- switch (data->set.ssl.version) {
|
|
|
9d7d3f |
- default:
|
|
|
9d7d3f |
- case CURL_SSLVERSION_DEFAULT:
|
|
|
9d7d3f |
- sslver.min = SSL_LIBRARY_VERSION_3_0;
|
|
|
9d7d3f |
- if(data->state.ssl_connect_retry) {
|
|
|
9d7d3f |
- infof(data, "TLS disabled due to previous handshake failure\n");
|
|
|
9d7d3f |
- sslver.max = SSL_LIBRARY_VERSION_3_0;
|
|
|
9d7d3f |
- }
|
|
|
9d7d3f |
- else
|
|
|
9d7d3f |
- sslver.max = SSL_LIBRARY_VERSION_TLS_1_0;
|
|
|
9d7d3f |
- break;
|
|
|
9d7d3f |
- case CURL_SSLVERSION_TLSv1:
|
|
|
9d7d3f |
- sslver.min = SSL_LIBRARY_VERSION_TLS_1_0;
|
|
|
9d7d3f |
- sslver.max = SSL_LIBRARY_VERSION_TLS_1_0;
|
|
|
9d7d3f |
- break;
|
|
|
9d7d3f |
- case CURL_SSLVERSION_SSLv2:
|
|
|
9d7d3f |
- sslver.min = SSL_LIBRARY_VERSION_2;
|
|
|
9d7d3f |
- sslver.max = SSL_LIBRARY_VERSION_2;
|
|
|
9d7d3f |
- break;
|
|
|
9d7d3f |
- case CURL_SSLVERSION_SSLv3:
|
|
|
9d7d3f |
- sslver.min = SSL_LIBRARY_VERSION_3_0;
|
|
|
9d7d3f |
- sslver.max = SSL_LIBRARY_VERSION_3_0;
|
|
|
9d7d3f |
- break;
|
|
|
9d7d3f |
- case CURL_SSLVERSION_TLSv1_0:
|
|
|
9d7d3f |
- case CURL_SSLVERSION_TLSv1_1:
|
|
|
9d7d3f |
- case CURL_SSLVERSION_TLSv1_2:
|
|
|
9d7d3f |
- failf(data, "TLS minor version cannot be set\n");
|
|
|
9d7d3f |
- curlerr = CURLE_SSL_CONNECT_ERROR;
|
|
|
9d7d3f |
+ /* enable/disable the requested SSL version(s) */
|
|
|
9d7d3f |
+ if(nss_init_sslver(&sslver, data) != CURLE_OK)
|
|
|
9d7d3f |
goto error;
|
|
|
9d7d3f |
- }
|
|
|
9d7d3f |
-
|
|
|
9d7d3f |
if(SSL_VersionRangeSet(model, &sslver) != SECSuccess)
|
|
|
9d7d3f |
goto error;
|
|
|
9d7d3f |
|
|
|
9d7d3f |
--
|
|
|
9d7d3f |
1.7.1
|
|
|
9d7d3f |
|
|
|
9d7d3f |
|
|
|
9d7d3f |
From 91a3d58fc48f0d08ab81f1e013b2d58a7ccd7146 Mon Sep 17 00:00:00 2001
|
|
|
9d7d3f |
From: Kamil Dudka <kdudka@redhat.com>
|
|
|
9d7d3f |
Date: Mon, 25 Nov 2013 16:25:15 +0100
|
|
|
9d7d3f |
Subject: [PATCH 7/9] nss: allow to use TLS > 1.0 if built against recent NSS
|
|
|
9d7d3f |
|
|
|
9d7d3f |
Bug: http://curl.haxx.se/mail/lib-2013-11/0162.html
|
|
|
9d7d3f |
|
|
|
9d7d3f |
[upstream commit 7fc9325a52a6dad1f8b859a3269472ffc125edd0]
|
|
|
9d7d3f |
---
|
|
|
9d7d3f |
lib/nss.c | 22 ++++++++++++++++++++++
|
|
|
9d7d3f |
1 files changed, 22 insertions(+), 0 deletions(-)
|
|
|
9d7d3f |
|
|
|
9d7d3f |
diff --git a/lib/nss.c b/lib/nss.c
|
|
|
9d7d3f |
index 2e2240b..5cd33d8 100644
|
|
|
9d7d3f |
--- a/lib/nss.c
|
|
|
9d7d3f |
+++ b/lib/nss.c
|
|
|
9d7d3f |
@@ -1188,7 +1188,13 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
|
|
|
9d7d3f |
|
|
|
9d7d3f |
case CURL_SSLVERSION_TLSv1:
|
|
|
9d7d3f |
sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
|
|
|
9d7d3f |
+#ifdef SSL_LIBRARY_VERSION_TLS_1_2
|
|
|
9d7d3f |
+ sslver->max = SSL_LIBRARY_VERSION_TLS_1_2;
|
|
|
9d7d3f |
+#elif defined SSL_LIBRARY_VERSION_TLS_1_1
|
|
|
9d7d3f |
+ sslver->max = SSL_LIBRARY_VERSION_TLS_1_1;
|
|
|
9d7d3f |
+#else
|
|
|
9d7d3f |
sslver->max = SSL_LIBRARY_VERSION_TLS_1_0;
|
|
|
9d7d3f |
+#endif
|
|
|
9d7d3f |
return CURLE_OK;
|
|
|
9d7d3f |
|
|
|
9d7d3f |
case CURL_SSLVERSION_SSLv2:
|
|
|
9d7d3f |
@@ -1202,8 +1208,24 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
|
|
|
9d7d3f |
return CURLE_OK;
|
|
|
9d7d3f |
|
|
|
9d7d3f |
case CURL_SSLVERSION_TLSv1_0:
|
|
|
9d7d3f |
+ sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
|
|
|
9d7d3f |
+ sslver->max = SSL_LIBRARY_VERSION_TLS_1_0;
|
|
|
9d7d3f |
+ return CURLE_OK;
|
|
|
9d7d3f |
+
|
|
|
9d7d3f |
case CURL_SSLVERSION_TLSv1_1:
|
|
|
9d7d3f |
+#ifdef SSL_LIBRARY_VERSION_TLS_1_1
|
|
|
9d7d3f |
+ sslver->min = SSL_LIBRARY_VERSION_TLS_1_1;
|
|
|
9d7d3f |
+ sslver->max = SSL_LIBRARY_VERSION_TLS_1_1;
|
|
|
9d7d3f |
+ return CURLE_OK;
|
|
|
9d7d3f |
+#endif
|
|
|
9d7d3f |
+ break;
|
|
|
9d7d3f |
+
|
|
|
9d7d3f |
case CURL_SSLVERSION_TLSv1_2:
|
|
|
9d7d3f |
+#ifdef SSL_LIBRARY_VERSION_TLS_1_2
|
|
|
9d7d3f |
+ sslver->min = SSL_LIBRARY_VERSION_TLS_1_2;
|
|
|
9d7d3f |
+ sslver->max = SSL_LIBRARY_VERSION_TLS_1_2;
|
|
|
9d7d3f |
+ return CURLE_OK;
|
|
|
9d7d3f |
+#endif
|
|
|
9d7d3f |
break;
|
|
|
9d7d3f |
}
|
|
|
9d7d3f |
|
|
|
9d7d3f |
--
|
|
|
9d7d3f |
1.7.1
|
|
|
9d7d3f |
|
|
|
9d7d3f |
|
|
|
9d7d3f |
From 404492a5a815b83fab58ce60434c01c270b6bc73 Mon Sep 17 00:00:00 2001
|
|
|
9d7d3f |
From: Kamil Dudka <kdudka@redhat.com>
|
|
|
9d7d3f |
Date: Mon, 2 Dec 2013 14:25:07 +0100
|
|
|
9d7d3f |
Subject: [PATCH 8/9] nss: unconditionally require NSS_InitContext()
|
|
|
9d7d3f |
|
|
|
9d7d3f |
... since we depend on NSS 3.14+ because of SSL_VersionRangeSet() anyway
|
|
|
9d7d3f |
|
|
|
9d7d3f |
[upstream commit 865666afca926faa1c721020fc54364540caf734]
|
|
|
9d7d3f |
---
|
|
|
9d7d3f |
configure | 12 ------------
|
|
|
9d7d3f |
configure.ac | 8 --------
|
|
|
9d7d3f |
lib/nss.c | 26 --------------------------
|
|
|
9d7d3f |
3 files changed, 0 insertions(+), 46 deletions(-)
|
|
|
9d7d3f |
|
|
|
9d7d3f |
diff --git a/configure b/configure
|
|
|
9d7d3f |
index ebde78a..8741e21 100755
|
|
|
9d7d3f |
--- a/configure
|
|
|
9d7d3f |
+++ b/configure
|
|
|
9d7d3f |
@@ -23697,18 +23697,6 @@ fi
|
|
|
9d7d3f |
{ $as_echo "$as_me:${as_lineno-$LINENO}: detected NSS version $version" >&5
|
|
|
9d7d3f |
$as_echo "$as_me: detected NSS version $version" >&6;}
|
|
|
9d7d3f |
|
|
|
9d7d3f |
- ac_fn_c_check_func "$LINENO" "NSS_InitContext" "ac_cv_func_NSS_InitContext"
|
|
|
9d7d3f |
-if test "x$ac_cv_func_NSS_InitContext" = xyes; then :
|
|
|
9d7d3f |
-
|
|
|
9d7d3f |
-
|
|
|
9d7d3f |
-$as_echo "#define HAVE_NSS_INITCONTEXT 1" >>confdefs.h
|
|
|
9d7d3f |
-
|
|
|
9d7d3f |
- HAVE_NSS_INITCONTEXT=1
|
|
|
9d7d3f |
-
|
|
|
9d7d3f |
-
|
|
|
9d7d3f |
-fi
|
|
|
9d7d3f |
-
|
|
|
9d7d3f |
-
|
|
|
9d7d3f |
if test "x$cross_compiling" != "xyes"; then
|
|
|
9d7d3f |
LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$nssprefix/lib$libsuff"
|
|
|
9d7d3f |
export LD_LIBRARY_PATH
|
|
|
9d7d3f |
diff --git a/configure.ac b/configure.ac
|
|
|
9d7d3f |
index c81c879..70ef0b7 100644
|
|
|
9d7d3f |
--- a/configure.ac
|
|
|
9d7d3f |
+++ b/configure.ac
|
|
|
9d7d3f |
@@ -2211,14 +2211,6 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then
|
|
|
9d7d3f |
if test "x$USE_NSS" = "xyes"; then
|
|
|
9d7d3f |
AC_MSG_NOTICE([detected NSS version $version])
|
|
|
9d7d3f |
|
|
|
9d7d3f |
- dnl NSS_InitContext() was introduced in NSS 3.12.5 and helps to prevent
|
|
|
9d7d3f |
- dnl collisions on NSS initialization/shutdown with other libraries
|
|
|
9d7d3f |
- AC_CHECK_FUNC(NSS_InitContext,
|
|
|
9d7d3f |
- [
|
|
|
9d7d3f |
- AC_DEFINE(HAVE_NSS_INITCONTEXT, 1, [if you have the NSS_InitContext function])
|
|
|
9d7d3f |
- AC_SUBST(HAVE_NSS_INITCONTEXT, [1])
|
|
|
9d7d3f |
- ])
|
|
|
9d7d3f |
-
|
|
|
9d7d3f |
dnl when shared libs were found in a path that the run-time
|
|
|
9d7d3f |
dnl linker doesn't search through, we need to add it to
|
|
|
9d7d3f |
dnl LD_LIBRARY_PATH to prevent further configure tests to fail
|
|
|
9d7d3f |
diff --git a/lib/nss.c b/lib/nss.c
|
|
|
9d7d3f |
index 5cd33d8..7b49c20 100644
|
|
|
9d7d3f |
--- a/lib/nss.c
|
|
|
9d7d3f |
+++ b/lib/nss.c
|
|
|
9d7d3f |
@@ -76,9 +76,7 @@ PRFileDesc *PR_ImportTCPSocket(PRInt32 osfd);
|
|
|
9d7d3f |
|
|
|
9d7d3f |
PRLock * nss_initlock = NULL;
|
|
|
9d7d3f |
PRLock * nss_crllock = NULL;
|
|
|
9d7d3f |
-#ifdef HAVE_NSS_INITCONTEXT
|
|
|
9d7d3f |
NSSInitContext * nss_context = NULL;
|
|
|
9d7d3f |
-#endif
|
|
|
9d7d3f |
|
|
|
9d7d3f |
volatile int initialized = 0;
|
|
|
9d7d3f |
|
|
|
9d7d3f |
@@ -853,7 +851,6 @@ isTLSIntoleranceError(PRInt32 err)
|
|
|
9d7d3f |
|
|
|
9d7d3f |
static CURLcode nss_init_core(struct SessionHandle *data, const char *cert_dir)
|
|
|
9d7d3f |
{
|
|
|
9d7d3f |
-#ifdef HAVE_NSS_INITCONTEXT
|
|
|
9d7d3f |
NSSInitParameters initparams;
|
|
|
9d7d3f |
|
|
|
9d7d3f |
if(nss_context != NULL)
|
|
|
9d7d3f |
@@ -861,12 +858,6 @@ static CURLcode nss_init_core(struct SessionHandle *data, const char *cert_dir)
|
|
|
9d7d3f |
|
|
|
9d7d3f |
memset((void *) &initparams, '\0', sizeof(initparams));
|
|
|
9d7d3f |
initparams.length = sizeof(initparams);
|
|
|
9d7d3f |
-#else /* HAVE_NSS_INITCONTEXT */
|
|
|
9d7d3f |
- SECStatus rv;
|
|
|
9d7d3f |
-
|
|
|
9d7d3f |
- if(NSS_IsInitialized())
|
|
|
9d7d3f |
- return CURLE_OK;
|
|
|
9d7d3f |
-#endif
|
|
|
9d7d3f |
|
|
|
9d7d3f |
if(cert_dir) {
|
|
|
9d7d3f |
const bool use_sql = NSS_VersionCheck("3.12.0");
|
|
|
9d7d3f |
@@ -875,35 +866,22 @@ static CURLcode nss_init_core(struct SessionHandle *data, const char *cert_dir)
|
|
|
9d7d3f |
return CURLE_OUT_OF_MEMORY;
|
|
|
9d7d3f |
|
|
|
9d7d3f |
infof(data, "Initializing NSS with certpath: %s\n", certpath);
|
|
|
9d7d3f |
-#ifdef HAVE_NSS_INITCONTEXT
|
|
|
9d7d3f |
nss_context = NSS_InitContext(certpath, "", "", "", &initparams,
|
|
|
9d7d3f |
NSS_INIT_READONLY | NSS_INIT_PK11RELOAD);
|
|
|
9d7d3f |
free(certpath);
|
|
|
9d7d3f |
|
|
|
9d7d3f |
if(nss_context != NULL)
|
|
|
9d7d3f |
return CURLE_OK;
|
|
|
9d7d3f |
-#else /* HAVE_NSS_INITCONTEXT */
|
|
|
9d7d3f |
- rv = NSS_Initialize(certpath, "", "", "", NSS_INIT_READONLY);
|
|
|
9d7d3f |
- free(certpath);
|
|
|
9d7d3f |
-
|
|
|
9d7d3f |
- if(rv == SECSuccess)
|
|
|
9d7d3f |
- return CURLE_OK;
|
|
|
9d7d3f |
-#endif
|
|
|
9d7d3f |
|
|
|
9d7d3f |
infof(data, "Unable to initialize NSS database\n");
|
|
|
9d7d3f |
}
|
|
|
9d7d3f |
|
|
|
9d7d3f |
infof(data, "Initializing NSS with certpath: none\n");
|
|
|
9d7d3f |
-#ifdef HAVE_NSS_INITCONTEXT
|
|
|
9d7d3f |
nss_context = NSS_InitContext("", "", "", "", &initparams, NSS_INIT_READONLY
|
|
|
9d7d3f |
| NSS_INIT_NOCERTDB | NSS_INIT_NOMODDB | NSS_INIT_FORCEOPEN
|
|
|
9d7d3f |
| NSS_INIT_NOROOTINIT | NSS_INIT_OPTIMIZESPACE | NSS_INIT_PK11RELOAD);
|
|
|
9d7d3f |
if(nss_context != NULL)
|
|
|
9d7d3f |
return CURLE_OK;
|
|
|
9d7d3f |
-#else /* HAVE_NSS_INITCONTEXT */
|
|
|
9d7d3f |
- if(NSS_NoDB_Init(NULL) == SECSuccess)
|
|
|
9d7d3f |
- return CURLE_OK;
|
|
|
9d7d3f |
-#endif
|
|
|
9d7d3f |
|
|
|
9d7d3f |
infof(data, "Unable to initialize NSS\n");
|
|
|
9d7d3f |
return CURLE_SSL_CACERT_BADFILE;
|
|
|
9d7d3f |
@@ -999,12 +977,8 @@ void Curl_nss_cleanup(void)
|
|
|
9d7d3f |
SECMOD_DestroyModule(mod);
|
|
|
9d7d3f |
mod = NULL;
|
|
|
9d7d3f |
}
|
|
|
9d7d3f |
-#ifdef HAVE_NSS_INITCONTEXT
|
|
|
9d7d3f |
NSS_ShutdownContext(nss_context);
|
|
|
9d7d3f |
nss_context = NULL;
|
|
|
9d7d3f |
-#else /* HAVE_NSS_INITCONTEXT */
|
|
|
9d7d3f |
- NSS_Shutdown();
|
|
|
9d7d3f |
-#endif
|
|
|
9d7d3f |
}
|
|
|
9d7d3f |
PR_Unlock(nss_initlock);
|
|
|
9d7d3f |
|
|
|
9d7d3f |
--
|
|
|
9d7d3f |
1.7.1
|
|
|
9d7d3f |
|
|
|
9d7d3f |
|
|
|
9d7d3f |
From a643c75662b6909a5be1bed8273ed1273ab2b3f4 Mon Sep 17 00:00:00 2001
|
|
|
9d7d3f |
From: Kamil Dudka <kdudka@redhat.com>
|
|
|
9d7d3f |
Date: Mon, 2 Dec 2013 16:09:12 +0100
|
|
|
9d7d3f |
Subject: [PATCH 9/9] nss: make sure that 'sslver' is always initialized
|
|
|
9d7d3f |
|
|
|
9d7d3f |
[upstream commit e221b55f67a2e12717e911f25d1bb6c85fcebfab]
|
|
|
9d7d3f |
---
|
|
|
9d7d3f |
lib/nss.c | 9 +++++----
|
|
|
9d7d3f |
1 files changed, 5 insertions(+), 4 deletions(-)
|
|
|
9d7d3f |
|
|
|
9d7d3f |
diff --git a/lib/nss.c b/lib/nss.c
|
|
|
9d7d3f |
index 7b49c20..abc8a91 100644
|
|
|
9d7d3f |
--- a/lib/nss.c
|
|
|
9d7d3f |
+++ b/lib/nss.c
|
|
|
9d7d3f |
@@ -1151,13 +1151,10 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
|
|
|
9d7d3f |
switch (data->set.ssl.version) {
|
|
|
9d7d3f |
default:
|
|
|
9d7d3f |
case CURL_SSLVERSION_DEFAULT:
|
|
|
9d7d3f |
- sslver->min = SSL_LIBRARY_VERSION_3_0;
|
|
|
9d7d3f |
if(data->state.ssl_connect_retry) {
|
|
|
9d7d3f |
infof(data, "TLS disabled due to previous handshake failure\n");
|
|
|
9d7d3f |
sslver->max = SSL_LIBRARY_VERSION_3_0;
|
|
|
9d7d3f |
}
|
|
|
9d7d3f |
- else
|
|
|
9d7d3f |
- sslver->max = SSL_LIBRARY_VERSION_TLS_1_0;
|
|
|
9d7d3f |
return CURLE_OK;
|
|
|
9d7d3f |
|
|
|
9d7d3f |
case CURL_SSLVERSION_TLSv1:
|
|
|
9d7d3f |
@@ -1211,7 +1208,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
|
|
|
9d7d3f |
{
|
|
|
9d7d3f |
PRErrorCode err = 0;
|
|
|
9d7d3f |
PRFileDesc *model = NULL;
|
|
|
9d7d3f |
- SSLVersionRange sslver;
|
|
|
9d7d3f |
PRBool ssl_no_cache;
|
|
|
9d7d3f |
PRBool ssl_cbc_random_iv;
|
|
|
9d7d3f |
struct SessionHandle *data = conn->data;
|
|
|
9d7d3f |
@@ -1223,6 +1219,11 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
|
|
|
9d7d3f |
long time_left;
|
|
|
9d7d3f |
PRUint32 timeout;
|
|
|
9d7d3f |
|
|
|
9d7d3f |
+ SSLVersionRange sslver = {
|
|
|
9d7d3f |
+ SSL_LIBRARY_VERSION_3_0, /* min */
|
|
|
9d7d3f |
+ SSL_LIBRARY_VERSION_TLS_1_0 /* max */
|
|
|
9d7d3f |
+ };
|
|
|
9d7d3f |
+
|
|
|
9d7d3f |
if(connssl->state == ssl_connection_complete)
|
|
|
9d7d3f |
return CURLE_OK;
|
|
|
9d7d3f |
|
|
|
9d7d3f |
--
|
|
|
9d7d3f |
1.7.1
|
|
|
9d7d3f |
|