From 0c36569c6541ed1eb924ccd60dea5caca0d1e957 Mon Sep 17 00:00:00 2001

From: Kamil Dudka <kdudka@redhat.com>

Date: Thu, 27 Oct 2016 14:57:11 +0200

Subject: [PATCH 1/5] vtls: support TLS 1.3 via CURL_SSLVERSION_TLSv1_3

Fully implemented with the NSS backend only for now.

Reviewed-by: Ray Satiro

Upstream-commit: 6ad3add60654182a747f5971afb40817488ef0e8

Signed-off-by: Kamil Dudka <kdudka@redhat.com>

---

 docs/libcurl/curl_easy_setopt.3  | 2 ++

 docs/libcurl/symbols-in-versions | 1 +

 include/curl/curl.h              | 1 +

 lib/nss.c                        | 8 ++++++++

 packages/OS400/curl.inc.in       | 2 ++

 5 files changed, 14 insertions(+)

diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3

index 17b632f..226e0ca 100644

--- a/docs/libcurl/curl_easy_setopt.3

+++ b/docs/libcurl/curl_easy_setopt.3

@@ -2262,6 +2262,8 @@ Force TLSv1.0 (Added in 7.34.0)

 Force TLSv1.1 (Added in 7.34.0)

 .IP CURL_SSLVERSION_TLSv1_2

 Force TLSv1.2 (Added in 7.34.0)

+.IP CURL_SSLVERSION_TLSv1_3

+Force TLSv1.3 (Added in 7.51.1)

 .RE

 .IP CURLOPT_SSL_VERIFYPEER

 Pass a long as parameter. By default, curl assumes a value of 1.

diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions

index e2cce4c..a66bd97 100644

--- a/docs/libcurl/symbols-in-versions

+++ b/docs/libcurl/symbols-in-versions

@@ -685,6 +685,7 @@ CURL_SSLVERSION_TLSv1           7.9.2

 CURL_SSLVERSION_TLSv1_0         7.34.0

 CURL_SSLVERSION_TLSv1_1         7.34.0

 CURL_SSLVERSION_TLSv1_2         7.34.0

+CURL_SSLVERSION_TLSv1_3         7.51.1

 CURL_TIMECOND_IFMODSINCE        7.9.7

 CURL_TIMECOND_IFUNMODSINCE      7.9.7

 CURL_TIMECOND_LASTMOD           7.9.7

diff --git a/include/curl/curl.h b/include/curl/curl.h

index 8b639fa..0fb1885 100644

--- a/include/curl/curl.h

+++ b/include/curl/curl.h

@@ -1645,6 +1645,7 @@ enum {

   CURL_SSLVERSION_TLSv1_0,

   CURL_SSLVERSION_TLSv1_1,

   CURL_SSLVERSION_TLSv1_2,

+  CURL_SSLVERSION_TLSv1_3,

   CURL_SSLVERSION_LAST /* never use, keep last */

 };

diff --git a/lib/nss.c b/lib/nss.c

index 31e5d75..8e26d1f 100644

--- a/lib/nss.c

+++ b/lib/nss.c

@@ -1331,6 +1331,14 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,

     sslver->min = SSL_LIBRARY_VERSION_TLS_1_2;

     sslver->max = SSL_LIBRARY_VERSION_TLS_1_2;

     return CURLE_OK;

+#endif

+    break;

+

+  case CURL_SSLVERSION_TLSv1_3:

+#ifdef SSL_LIBRARY_VERSION_TLS_1_3

+    sslver->min = SSL_LIBRARY_VERSION_TLS_1_3;

+    sslver->max = SSL_LIBRARY_VERSION_TLS_1_3;

+    return CURLE_OK;

 #endif

     break;

   }

diff --git a/packages/OS400/curl.inc.in b/packages/OS400/curl.inc.in

index 22a5511..30e6506 100644

--- a/packages/OS400/curl.inc.in

+++ b/packages/OS400/curl.inc.in

@@ -232,6 +232,8 @@

      d                 c                   5

      d CURL_SSLVERSION_TLSv1_2...

      d                 c                   6

+     d CURL_SSLVERSION_TLSv1_3...

+     d                 c                   7

       *

      d CURL_TLSAUTH_NONE...

      d                 c                   0

-- 

2.17.2

From d18da081cc26df5605b5a2995615660eb3270712 Mon Sep 17 00:00:00 2001

From: Kamil Dudka <kdudka@redhat.com>

Date: Thu, 27 Oct 2016 14:58:43 +0200

Subject: [PATCH 2/5] curl: introduce the --tlsv1.3 option to force TLS 1.3

Fully implemented with the NSS backend only for now.

Reviewed-by: Ray Satiro

Upstream-commit: a110a03b43057879643046538c79cc9dd20d399a

Signed-off-by: Kamil Dudka <kdudka@redhat.com>

---

 docs/curl.1         | 10 +++++++---

 src/tool_getparam.c |  5 +++++

 src/tool_help.c     |  1 +

 src/tool_setopt.c   |  1 +

 4 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/docs/curl.1 b/docs/curl.1

index a26b03c..0c5ed9a 100644

--- a/docs/curl.1

+++ b/docs/curl.1

@@ -118,9 +118,9 @@ internally preferred: HTTP 1.1.

 .IP "-1, --tlsv1"

 (SSL)

 Forces curl to use TLS version 1.x when negotiating with a remote TLS server.

-You can use options \fI--tlsv1.0\fP, \fI--tlsv1.1\fP, and \fI--tlsv1.2\fP to

-control the TLS version more precisely (if the SSL backend in use supports such

-a level of control).

+You can use options \fI--tlsv1.0\fP, \fI--tlsv1.1\fP, \fI--tlsv1.2\fP, and

+\fI--tlsv1.3\fP to control the TLS version more precisely (if the SSL backend

+in use supports such a level of control).

 .IP "-2, --sslv2"

 (SSL)

 Forces curl to use SSL version 2 when negotiating with a remote SSL server.

@@ -1469,6 +1469,10 @@ Forces curl to use TLS version 1.1 when negotiating with a remote TLS server.

 (SSL)

 Forces curl to use TLS version 1.2 when negotiating with a remote TLS server.

 (Added in 7.34.0)

+.IP "--tlsv1.3"

+(SSL)

+Forces curl to use TLS version 1.3 when negotiating with a remote TLS server.

+(Added in 7.51.1)

 .IP "--tr-encoding"

 (HTTP) Request a compressed Transfer-Encoding response using one of the

 algorithms curl supports, and uncompress the data while receiving it.

diff --git a/src/tool_getparam.c b/src/tool_getparam.c

index 32fc68b..86a7bb6 100644

--- a/src/tool_getparam.c

+++ b/src/tool_getparam.c

@@ -179,6 +179,7 @@ static const struct LongShort aliases[]= {

   {"10",  "tlsv1.0",                 FALSE},

   {"11",  "tlsv1.1",                 FALSE},

   {"12",  "tlsv1.2",                 FALSE},

+  {"13",  "tlsv1.3",                 FALSE},

   {"2",  "sslv2",                    FALSE},

   {"3",  "sslv3",                    FALSE},

   {"4",  "ipv4",                     FALSE},

@@ -1000,6 +1001,10 @@ ParameterError getparameter(char *flag,    /* f or -long-flag */

         /* TLS version 1.2 */

         config->ssl_version = CURL_SSLVERSION_TLSv1_2;

         break;

+      case '3':

+        /* TLS version 1.3 */

+        config->ssl_version = CURL_SSLVERSION_TLSv1_3;

+        break;

       }

       break;

     case '2':

diff --git a/src/tool_help.c b/src/tool_help.c

index c2883eb..0659db6 100644

--- a/src/tool_help.c

+++ b/src/tool_help.c

@@ -205,6 +205,7 @@ static const char *const helptext[] = {

   "     --tlsv1.0       Use TLSv1.0 (SSL)",

   "     --tlsv1.1       Use TLSv1.1 (SSL)",

   "     --tlsv1.2       Use TLSv1.2 (SSL)",

+  "     --tlsv1.3       Use TLSv1.3 (SSL)",

   "     --trace FILE    Write a debug trace to the given file",

   "     --trace-ascii FILE  Like --trace but without the hex output",

   "     --trace-time    Add time stamps to trace/verbose output",

diff --git a/src/tool_setopt.c b/src/tool_setopt.c

index 5ae32cd..0534118 100644

--- a/src/tool_setopt.c

+++ b/src/tool_setopt.c

@@ -81,6 +81,7 @@ const NameValue setopt_nv_CURL_SSLVERSION[] = {

   NV(CURL_SSLVERSION_TLSv1_0),

   NV(CURL_SSLVERSION_TLSv1_1),

   NV(CURL_SSLVERSION_TLSv1_2),

+  NV(CURL_SSLVERSION_TLSv1_3),

   NVEND,

 };

-- 

2.17.2

From 6ffdc6a1ca867c0ed228ffba172cb910b77011f0 Mon Sep 17 00:00:00 2001

From: Jozef Kralik <jozef.kralik@eset.sk>

Date: Tue, 13 Dec 2016 21:10:00 +0100

Subject: [PATCH 3/5] vtls: add options to specify range of enabled TLS

 versions

This commit introduces the CURL_SSLVERSION_MAX_* constants as well as

the --tls-max option of the curl tool.

Closes https://github.com/curl/curl/pull/1166

Upstream-commit: 6448f98c1857de521fb2dd3f9d4e5659845b5474

Signed-off-by: Kamil Dudka <kdudka@redhat.com>

---

 docs/curl.1                      | 21 ++++++-

 docs/libcurl/curl_easy_setopt.3  | 18 +++++-

 docs/libcurl/symbols-in-versions |  8 ++-

 include/curl/curl.h              | 12 ++++

 lib/nss.c                        | 94 ++++++++++++++++++++++----------

 lib/sslgen.c                     |  2 +

 lib/url.c                        |  7 ++-

 lib/urldata.h                    |  1 +

 src/tool_cfgable.h               |  1 +

 src/tool_getparam.c              |  6 ++

 src/tool_help.c                  |  1 +

 src/tool_operate.c               |  3 +-

 src/tool_paramhlp.c              | 32 +++++++++++

 src/tool_paramhlp.h              |  2 +

 14 files changed, 175 insertions(+), 33 deletions(-)

diff --git a/docs/curl.1 b/docs/curl.1

index 0c5ed9a..35fae14 100644

--- a/docs/curl.1

+++ b/docs/curl.1

@@ -1472,7 +1472,26 @@ Forces curl to use TLS version 1.2 when negotiating with a remote TLS server.

 .IP "--tlsv1.3"

 (SSL)

 Forces curl to use TLS version 1.3 when negotiating with a remote TLS server.

-(Added in 7.51.1)

+(Added in 7.52.0)

+.IP "--tls-max <VERSION>"

+(SSL) VERSION defines maximum supported TLS version. The minimum acceptable version

+is set by tlsv1.0, tlsv1.1, tlsv1.2 or tlsv1.3.

+

+.RS

+.IP "default"

+Use up to recommended TLS version.

+.IP "1.0"

+Use up to TLSv1.0.

+.IP "1.1"

+Use up to TLSv1.1.

+.IP "1.2"

+Use up to TLSv1.2.

+.IP "1.3"

+Use up to TLSv1.3.

+.RE

+

+See also \fI--tlsv1.0\fP and \fI--tlsv1.1\fP and \fI--tlsv1.2\fP and

+\fI--tlsv1.3\fP.  Added in 7.54.0.

 .IP "--tr-encoding"

 (HTTP) Request a compressed Transfer-Encoding response using one of the

 algorithms curl supports, and uncompress the data while receiving it.

diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3

index 226e0ca..55d207e 100644

--- a/docs/libcurl/curl_easy_setopt.3

+++ b/docs/libcurl/curl_easy_setopt.3

@@ -2263,7 +2263,23 @@ Force TLSv1.1 (Added in 7.34.0)

 .IP CURL_SSLVERSION_TLSv1_2

 Force TLSv1.2 (Added in 7.34.0)

 .IP CURL_SSLVERSION_TLSv1_3

-Force TLSv1.3 (Added in 7.51.1)

+Force TLSv1.3 (Added in 7.52.0)

+.IP CURL_SSLVERSION_MAX_DEFAULT

+The flag defines maximum supported TLS version as TLSv1.2 or default

+value from SSL library.

+(Added in 7.54.0)

+.IP CURL_SSLVERSION_MAX_TLSv1_0

+The flag defines maximum supported TLS version as TLSv1.0.

+(Added in 7.54.0)

+.IP CURL_SSLVERSION_MAX_TLSv1_1

+The flag defines maximum supported TLS version as TLSv1.1.

+(Added in 7.54.0)

+.IP CURL_SSLVERSION_MAX_TLSv1_2

+The flag defines maximum supported TLS version as TLSv1.2.

+(Added in 7.54.0)

+.IP CURL_SSLVERSION_MAX_TLSv1_3

+The flag defines maximum supported TLS version as TLSv1.3.

+(Added in 7.54.0)

 .RE

 .IP CURLOPT_SSL_VERIFYPEER

 Pass a long as parameter. By default, curl assumes a value of 1.

diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions

index a66bd97..34e0ac3 100644

--- a/docs/libcurl/symbols-in-versions

+++ b/docs/libcurl/symbols-in-versions

@@ -685,7 +685,13 @@ CURL_SSLVERSION_TLSv1           7.9.2

 CURL_SSLVERSION_TLSv1_0         7.34.0

 CURL_SSLVERSION_TLSv1_1         7.34.0

 CURL_SSLVERSION_TLSv1_2         7.34.0

-CURL_SSLVERSION_TLSv1_3         7.51.1

+CURL_SSLVERSION_TLSv1_3         7.52.0

+CURL_SSLVERSION_MAX_NONE        7.54.0

+CURL_SSLVERSION_MAX_DEFAULT     7.54.0

+CURL_SSLVERSION_MAX_TLSv1_0     7.54.0

+CURL_SSLVERSION_MAX_TLSv1_1     7.54.0

+CURL_SSLVERSION_MAX_TLSv1_2     7.54.0

+CURL_SSLVERSION_MAX_TLSv1_3     7.54.0

 CURL_TIMECOND_IFMODSINCE        7.9.7

 CURL_TIMECOND_IFUNMODSINCE      7.9.7

 CURL_TIMECOND_LASTMOD           7.9.7

diff --git a/include/curl/curl.h b/include/curl/curl.h

index 0fb1885..5a46925 100644

--- a/include/curl/curl.h

+++ b/include/curl/curl.h

@@ -1650,6 +1650,18 @@ enum {

   CURL_SSLVERSION_LAST /* never use, keep last */

 };

+enum {

+  CURL_SSLVERSION_MAX_NONE =     0,

+  CURL_SSLVERSION_MAX_DEFAULT =  (CURL_SSLVERSION_TLSv1   << 16),

+  CURL_SSLVERSION_MAX_TLSv1_0 =  (CURL_SSLVERSION_TLSv1_0 << 16),

+  CURL_SSLVERSION_MAX_TLSv1_1 =  (CURL_SSLVERSION_TLSv1_1 << 16),

+  CURL_SSLVERSION_MAX_TLSv1_2 =  (CURL_SSLVERSION_TLSv1_2 << 16),

+  CURL_SSLVERSION_MAX_TLSv1_3 =  (CURL_SSLVERSION_TLSv1_3 << 16),

+

+  /* never use, keep last */

+  CURL_SSLVERSION_MAX_LAST =     (CURL_SSLVERSION_LAST    << 16)

+};

+

 enum CURL_TLSAUTH {

   CURL_TLSAUTH_NONE,

   CURL_TLSAUTH_SRP,

diff --git a/lib/nss.c b/lib/nss.c

index 8e26d1f..d8e481b 100644

--- a/lib/nss.c

+++ b/lib/nss.c

@@ -1284,67 +1284,105 @@ static CURLcode nss_load_ca_certificates(struct connectdata *conn,

   return CURLE_OK;

 }

-static CURLcode nss_init_sslver(SSLVersionRange *sslver,

-                                struct SessionHandle *data)

+static CURLcode nss_sslver_from_curl(PRUint16 *nssver, long version)

 {

-  switch (data->set.ssl.version) {

-  default:

-  case CURL_SSLVERSION_DEFAULT:

-    break;

-

+  switch(version) {

   case CURL_SSLVERSION_TLSv1:

-    sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;

 #ifdef SSL_LIBRARY_VERSION_TLS_1_2

-    sslver->max = SSL_LIBRARY_VERSION_TLS_1_2;

+    *nssver = SSL_LIBRARY_VERSION_TLS_1_2;

 #elif defined SSL_LIBRARY_VERSION_TLS_1_1

-    sslver->max = SSL_LIBRARY_VERSION_TLS_1_1;

+    *nssver = SSL_LIBRARY_VERSION_TLS_1_1;

 #else

-    sslver->max = SSL_LIBRARY_VERSION_TLS_1_0;

+    *nssver = SSL_LIBRARY_VERSION_TLS_1_0;

 #endif

     return CURLE_OK;

   case CURL_SSLVERSION_SSLv2:

-    sslver->min = SSL_LIBRARY_VERSION_2;

-    sslver->max = SSL_LIBRARY_VERSION_2;

+    *nssver = SSL_LIBRARY_VERSION_2;

     return CURLE_OK;

   case CURL_SSLVERSION_SSLv3:

-    sslver->min = SSL_LIBRARY_VERSION_3_0;

-    sslver->max = SSL_LIBRARY_VERSION_3_0;

+    *nssver = SSL_LIBRARY_VERSION_3_0;

     return CURLE_OK;

   case CURL_SSLVERSION_TLSv1_0:

-    sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;

-    sslver->max = SSL_LIBRARY_VERSION_TLS_1_0;

+    *nssver = SSL_LIBRARY_VERSION_TLS_1_0;

     return CURLE_OK;

   case CURL_SSLVERSION_TLSv1_1:

 #ifdef SSL_LIBRARY_VERSION_TLS_1_1

-    sslver->min = SSL_LIBRARY_VERSION_TLS_1_1;

-    sslver->max = SSL_LIBRARY_VERSION_TLS_1_1;

+    *nssver = SSL_LIBRARY_VERSION_TLS_1_1;

     return CURLE_OK;

+#else

+    return CURLE_SSL_CONNECT_ERROR;

 #endif

-    break;

   case CURL_SSLVERSION_TLSv1_2:

 #ifdef SSL_LIBRARY_VERSION_TLS_1_2

-    sslver->min = SSL_LIBRARY_VERSION_TLS_1_2;

-    sslver->max = SSL_LIBRARY_VERSION_TLS_1_2;

+    *nssver = SSL_LIBRARY_VERSION_TLS_1_2;

     return CURLE_OK;

+#else

+    return CURLE_SSL_CONNECT_ERROR;

 #endif

-    break;

   case CURL_SSLVERSION_TLSv1_3:

 #ifdef SSL_LIBRARY_VERSION_TLS_1_3

-    sslver->min = SSL_LIBRARY_VERSION_TLS_1_3;

-    sslver->max = SSL_LIBRARY_VERSION_TLS_1_3;

+    *nssver = SSL_LIBRARY_VERSION_TLS_1_3;

     return CURLE_OK;

+#else

+    return CURLE_SSL_CONNECT_ERROR;

 #endif

+

+  default:

+    return CURLE_SSL_CONNECT_ERROR;

+  }

+}

+

+static CURLcode nss_init_sslver(SSLVersionRange *sslver,

+                                struct SessionHandle *data)

+{

+  CURLcode result;

+  const long min = data->set.ssl.version;

+  const long max = data->set.ssl.version_max;

+

+  if(min == CURL_SSLVERSION_DEFAULT || max == CURL_SSLVERSION_MAX_DEFAULT) {

+    /* map CURL_SSLVERSION_DEFAULT to NSS default */

+    if(SSL_VersionRangeGetDefault(ssl_variant_stream, sslver) != SECSuccess)

+      return CURLE_SSL_CONNECT_ERROR;

+    /* ... but make sure we use at least TLSv1.0 according to libcurl API */

+    if(sslver->min < SSL_LIBRARY_VERSION_TLS_1_0)

+      sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;

+  }

+

+  switch(min) {

+  case CURL_SSLVERSION_DEFAULT:

+    break;

+  case CURL_SSLVERSION_TLSv1:

+    sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;

     break;

+  default:

+    result = nss_sslver_from_curl(&sslver->min, min);

+    if(result) {

+      failf(data, "unsupported min version passed via CURLOPT_SSLVERSION");

+      return result;

+    }

+    if(max == CURL_SSLVERSION_MAX_NONE)

+      sslver->max = sslver->min;

+  }

+

+  switch(max) {

+  case CURL_SSLVERSION_MAX_NONE:

+  case CURL_SSLVERSION_MAX_DEFAULT:

+    break;

+  default:

+    result = nss_sslver_from_curl(&sslver->max, max >> 16);

+    if(result) {

+      failf(data, "unsupported max version passed via CURLOPT_SSLVERSION");

+      return result;

+    }

   }

-  failf(data, "TLS minor version cannot be set");

-  return CURLE_SSL_CONNECT_ERROR;

+  return CURLE_OK;

 }

 static CURLcode nss_fail_connect(struct ssl_connect_data *connssl,

@@ -1400,7 +1438,7 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)

   CURLcode curlerr;

   SSLVersionRange sslver = {

-    SSL_LIBRARY_VERSION_3_0,      /* min */

+    SSL_LIBRARY_VERSION_TLS_1_0,  /* min */

     SSL_LIBRARY_VERSION_TLS_1_0   /* max */

   };

diff --git a/lib/sslgen.c b/lib/sslgen.c

index 79cbb6f..d917f05 100644

--- a/lib/sslgen.c

+++ b/lib/sslgen.c

@@ -86,6 +86,7 @@ Curl_ssl_config_matches(struct ssl_config_data* data,

                         struct ssl_config_data* needle)

 {

   if((data->version == needle->version) &&

+     (data->version_max == needle->version_max) &&

      (data->verifypeer == needle->verifypeer) &&

      (data->verifyhost == needle->verifyhost) &&

      safe_strequal(data->CApath, needle->CApath) &&

@@ -107,6 +108,7 @@ Curl_clone_ssl_config(struct ssl_config_data *source,

   dest->verifyhost = source->verifyhost;

   dest->verifypeer = source->verifypeer;

   dest->version = source->version;

+  dest->version_max = source->version_max;

   if(source->CAfile) {

     dest->CAfile = strdup(source->CAfile);

diff --git a/lib/url.c b/lib/url.c

index cb3f3c3..cc099a5 100644

--- a/lib/url.c

+++ b/lib/url.c

@@ -667,6 +667,9 @@ CURLcode Curl_open(struct SessionHandle **curl)

   return res;

 }

+#define C_SSLVERSION_VALUE(x) (x & 0xffff)

+#define C_SSLVERSION_MAX_VALUE(x) (x & 0xffff0000)

+

 CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,

                      va_list param)

 {

@@ -882,7 +885,9 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,

      * Set explicit SSL version to try to connect with, as some SSL

      * implementations are lame.

      */

-    data->set.ssl.version = va_arg(param, long);

+    arg = va_arg(param, long);

+    data->set.ssl.version = C_SSLVERSION_VALUE(arg);

+    data->set.ssl.version_max = C_SSLVERSION_MAX_VALUE(arg);

     break;

 #ifndef CURL_DISABLE_HTTP

diff --git a/lib/urldata.h b/lib/urldata.h

index d10c784..a5027ed 100644

--- a/lib/urldata.h

+++ b/lib/urldata.h

@@ -335,6 +335,7 @@ struct ssl_connect_data {

 struct ssl_config_data {

   long version;          /* what version the client wants to use */

+  long version_max;      /* max supported version the client wants to use*/

   long certverifyresult; /* result from the certificate verification */

   bool verifypeer;       /* set TRUE if this is desired */

diff --git a/src/tool_cfgable.h b/src/tool_cfgable.h

index 68d0297..5f45f63 100644

--- a/src/tool_cfgable.h

+++ b/src/tool_cfgable.h

@@ -146,6 +146,7 @@ struct Configurable {

   struct curl_slist *postquote;

   struct curl_slist *prequote;

   long ssl_version;

+  long ssl_version_max;

   long ip_version;

   curl_TimeCond timecond;

   time_t condtime;

diff --git a/src/tool_getparam.c b/src/tool_getparam.c

index 86a7bb6..9a228b9 100644

--- a/src/tool_getparam.c

+++ b/src/tool_getparam.c

@@ -174,6 +174,7 @@ static const struct LongShort aliases[]= {

   {"$I", "post303",                  FALSE},

   {"$J", "metalink",                 FALSE},

   {"$M", "unix-socket",              TRUE},

+  {"$X", "tls-max",                  TRUE},

   {"0",  "http1.0",                  FALSE},

   {"1",  "tlsv1",                    FALSE},

   {"10",  "tlsv1.0",                 FALSE},

@@ -968,6 +969,11 @@ ParameterError getparameter(char *flag,    /* f or -long-flag */

       case 'M': /* --unix-socket */

         GetStr(&config->unix_socket_path, nextarg);

         break;

+      case 'X': /* --tls-max */

+        err = str2tls_max(&config->ssl_version_max, nextarg);

+        if(err)

+          return err;

+        break;

       }

       break;

     case '#': /* --progress-bar */

diff --git a/src/tool_help.c b/src/tool_help.c

index 0659db6..3eeef6d 100644

--- a/src/tool_help.c

+++ b/src/tool_help.c

@@ -206,6 +206,7 @@ static const char *const helptext[] = {

   "     --tlsv1.1       Use TLSv1.1 (SSL)",

   "     --tlsv1.2       Use TLSv1.2 (SSL)",

   "     --tlsv1.3       Use TLSv1.3 (SSL)",

+  "     --tls-max VERSION  Use TLS up to VERSION (SSL)",

   "     --trace FILE    Write a debug trace to the given file",

   "     --trace-ascii FILE  Like --trace but without the hex output",

   "     --trace-time    Add time stamps to trace/verbose output",

diff --git a/src/tool_operate.c b/src/tool_operate.c

index 185f9c6..052def1 100644

--- a/src/tool_operate.c

+++ b/src/tool_operate.c

@@ -1109,7 +1109,8 @@ int operate(struct Configurable *config, int argc, argv_item_t argv[])

         }

 #endif

-        my_setopt_enum(curl, CURLOPT_SSLVERSION, config->ssl_version);

+        my_setopt_enum(curl, CURLOPT_SSLVERSION,

+                       config->ssl_version | config->ssl_version_max);

         my_setopt_enum(curl, CURLOPT_TIMECONDITION, config->timecond);

         my_setopt(curl, CURLOPT_TIMEVALUE, config->condtime);

         my_setopt_str(curl, CURLOPT_CUSTOMREQUEST, config->customrequest);

diff --git a/src/tool_paramhlp.c b/src/tool_paramhlp.c

index 5d6f8bb..5ceddb2 100644

--- a/src/tool_paramhlp.c

+++ b/src/tool_paramhlp.c

@@ -405,3 +405,35 @@ long delegation(struct Configurable *config, char *str)

   return CURLGSSAPI_DELEGATION_NONE;

 }

+/*

+ * Parse the string and modify ssl_version in the val argument. Return PARAM_OK

+ * on success, otherwise a parameter error enum. ONLY ACCEPTS POSITIVE NUMBERS!

+ *

+ * Since this function gets called with the 'nextarg' pointer from within the

+ * getparameter a lot, we must check it for NULL before accessing the str

+ * data.

+ */

+

+ParameterError str2tls_max(long *val, const char *str)

+{

+   static struct s_tls_max {

+    const char *tls_max_str;

+    long tls_max;

+  } const tls_max_array[] = {

+    { "default", CURL_SSLVERSION_MAX_DEFAULT },

+    { "1.0",     CURL_SSLVERSION_MAX_TLSv1_0 },

+    { "1.1",     CURL_SSLVERSION_MAX_TLSv1_1 },

+    { "1.2",     CURL_SSLVERSION_MAX_TLSv1_2 },

+    { "1.3",     CURL_SSLVERSION_MAX_TLSv1_3 }

+  };

+  size_t i = 0;

+  if(!str)

+    return PARAM_REQUIRES_PARAMETER;

+  for(i = 0; i < sizeof(tls_max_array)/sizeof(tls_max_array[0]); i++) {

+    if(!strcmp(str, tls_max_array[i].tls_max_str)) {

+      *val = tls_max_array[i].tls_max;

+      return PARAM_OK;

+    }

+  }

+  return PARAM_BAD_USE;

+}

diff --git a/src/tool_paramhlp.h b/src/tool_paramhlp.h

index de1604e..c848d1c 100644

--- a/src/tool_paramhlp.h

+++ b/src/tool_paramhlp.h

@@ -48,5 +48,7 @@ int ftpcccmethod(struct Configurable *config, const char *str);

 long delegation(struct Configurable *config, char *str);

+ParameterError str2tls_max(long *val, const char *str);

+

 #endif /* HEADER_CURL_TOOL_PARAMHLP_H */

-- 

2.20.1

From 6a332224ba66b7ad21f6a874af94c1b7441ca19f Mon Sep 17 00:00:00 2001

From: Hubert Kario <hkario@redhat.com>

Date: Fri, 17 May 2019 17:15:24 +0000

Subject: [PATCH 4/5] nss: allow to specify TLS 1.3 ciphers if supported by NSS

Closes #3916

Upstream-commit: 319ae9075efba769c9d5e98e827bb325ad0fcb6f

Signed-off-by: Kamil Dudka <kdudka@redhat.com>

---

 lib/nss.c | 5 +++++

 1 file changed, 5 insertions(+)

diff --git a/lib/nss.c b/lib/nss.c

index d8e481b..330387c 100644

--- a/lib/nss.c

+++ b/lib/nss.c

@@ -195,6 +195,11 @@ static const cipher_s cipherlist[] = {

  {"dhe_rsa_chacha20_poly1305_sha_256",

      TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256},

 #endif

+#ifdef TLS_AES_256_GCM_SHA384

+ {"aes_128_gcm_sha_256",              TLS_AES_128_GCM_SHA256},

+ {"aes_256_gcm_sha_384",              TLS_AES_256_GCM_SHA384},

+ {"chacha20_poly1305_sha_256",        TLS_CHACHA20_POLY1305_SHA256},

+#endif

 };

 static const char* pem_library = "libnsspem.so";

-- 

2.20.1

From 268dcd88beb3d270d5aaeda473d51550ea9a3f84 Mon Sep 17 00:00:00 2001

From: Kamil Dudka <kdudka@redhat.com>

Date: Mon, 3 Jun 2019 12:31:21 +0200

Subject: [PATCH 5/5] nss: make `curl --tlsv1` compatible with

 curl-7.29.0-52.el7

---

 lib/nss.c | 4 +++-

 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/nss.c b/lib/nss.c

index 330387c..f963c63 100644

--- a/lib/nss.c

+++ b/lib/nss.c

@@ -1350,7 +1350,9 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,

   const long min = data->set.ssl.version;

   const long max = data->set.ssl.version_max;

-  if(min == CURL_SSLVERSION_DEFAULT || max == CURL_SSLVERSION_MAX_DEFAULT) {

+  if(min == CURL_SSLVERSION_DEFAULT || max == CURL_SSLVERSION_MAX_DEFAULT

+      || min == CURL_SSLVERSION_TLSv1)

+  {

     /* map CURL_SSLVERSION_DEFAULT to NSS default */

     if(SSL_VersionRangeGetDefault(ssl_variant_stream, sslver) != SECSuccess)

       return CURLE_SSL_CONNECT_ERROR;

-- 

2.20.1