Blob Blame Raw
From 0c36569c6541ed1eb924ccd60dea5caca0d1e957 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Thu, 27 Oct 2016 14:57:11 +0200
Subject: [PATCH 1/5] vtls: support TLS 1.3 via CURL_SSLVERSION_TLSv1_3

Fully implemented with the NSS backend only for now.

Reviewed-by: Ray Satiro

Upstream-commit: 6ad3add60654182a747f5971afb40817488ef0e8
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
 docs/libcurl/curl_easy_setopt.3  | 2 ++
 docs/libcurl/symbols-in-versions | 1 +
 include/curl/curl.h              | 1 +
 lib/nss.c                        | 8 ++++++++
 packages/OS400/curl.inc.in       | 2 ++
 5 files changed, 14 insertions(+)

diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3
index 17b632f..226e0ca 100644
--- a/docs/libcurl/curl_easy_setopt.3
+++ b/docs/libcurl/curl_easy_setopt.3
@@ -2262,6 +2262,8 @@ Force TLSv1.0 (Added in 7.34.0)
 Force TLSv1.1 (Added in 7.34.0)
 .IP CURL_SSLVERSION_TLSv1_2
 Force TLSv1.2 (Added in 7.34.0)
+.IP CURL_SSLVERSION_TLSv1_3
+Force TLSv1.3 (Added in 7.51.1)
 .RE
 .IP CURLOPT_SSL_VERIFYPEER
 Pass a long as parameter. By default, curl assumes a value of 1.
diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
index e2cce4c..a66bd97 100644
--- a/docs/libcurl/symbols-in-versions
+++ b/docs/libcurl/symbols-in-versions
@@ -685,6 +685,7 @@ CURL_SSLVERSION_TLSv1           7.9.2
 CURL_SSLVERSION_TLSv1_0         7.34.0
 CURL_SSLVERSION_TLSv1_1         7.34.0
 CURL_SSLVERSION_TLSv1_2         7.34.0
+CURL_SSLVERSION_TLSv1_3         7.51.1
 CURL_TIMECOND_IFMODSINCE        7.9.7
 CURL_TIMECOND_IFUNMODSINCE      7.9.7
 CURL_TIMECOND_LASTMOD           7.9.7
diff --git a/include/curl/curl.h b/include/curl/curl.h
index 8b639fa..0fb1885 100644
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@@ -1645,6 +1645,7 @@ enum {
   CURL_SSLVERSION_TLSv1_0,
   CURL_SSLVERSION_TLSv1_1,
   CURL_SSLVERSION_TLSv1_2,
+  CURL_SSLVERSION_TLSv1_3,
 
   CURL_SSLVERSION_LAST /* never use, keep last */
 };
diff --git a/lib/nss.c b/lib/nss.c
index 31e5d75..8e26d1f 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -1331,6 +1331,14 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
     sslver->min = SSL_LIBRARY_VERSION_TLS_1_2;
     sslver->max = SSL_LIBRARY_VERSION_TLS_1_2;
     return CURLE_OK;
+#endif
+    break;
+
+  case CURL_SSLVERSION_TLSv1_3:
+#ifdef SSL_LIBRARY_VERSION_TLS_1_3
+    sslver->min = SSL_LIBRARY_VERSION_TLS_1_3;
+    sslver->max = SSL_LIBRARY_VERSION_TLS_1_3;
+    return CURLE_OK;
 #endif
     break;
   }
diff --git a/packages/OS400/curl.inc.in b/packages/OS400/curl.inc.in
index 22a5511..30e6506 100644
--- a/packages/OS400/curl.inc.in
+++ b/packages/OS400/curl.inc.in
@@ -232,6 +232,8 @@
      d                 c                   5
      d CURL_SSLVERSION_TLSv1_2...
      d                 c                   6
+     d CURL_SSLVERSION_TLSv1_3...
+     d                 c                   7
       *
      d CURL_TLSAUTH_NONE...
      d                 c                   0
-- 
2.17.2


From d18da081cc26df5605b5a2995615660eb3270712 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Thu, 27 Oct 2016 14:58:43 +0200
Subject: [PATCH 2/5] curl: introduce the --tlsv1.3 option to force TLS 1.3

Fully implemented with the NSS backend only for now.

Reviewed-by: Ray Satiro

Upstream-commit: a110a03b43057879643046538c79cc9dd20d399a
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
 docs/curl.1         | 10 +++++++---
 src/tool_getparam.c |  5 +++++
 src/tool_help.c     |  1 +
 src/tool_setopt.c   |  1 +
 4 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/docs/curl.1 b/docs/curl.1
index a26b03c..0c5ed9a 100644
--- a/docs/curl.1
+++ b/docs/curl.1
@@ -118,9 +118,9 @@ internally preferred: HTTP 1.1.
 .IP "-1, --tlsv1"
 (SSL)
 Forces curl to use TLS version 1.x when negotiating with a remote TLS server.
-You can use options \fI--tlsv1.0\fP, \fI--tlsv1.1\fP, and \fI--tlsv1.2\fP to
-control the TLS version more precisely (if the SSL backend in use supports such
-a level of control).
+You can use options \fI--tlsv1.0\fP, \fI--tlsv1.1\fP, \fI--tlsv1.2\fP, and
+\fI--tlsv1.3\fP to control the TLS version more precisely (if the SSL backend
+in use supports such a level of control).
 .IP "-2, --sslv2"
 (SSL)
 Forces curl to use SSL version 2 when negotiating with a remote SSL server.
@@ -1469,6 +1469,10 @@ Forces curl to use TLS version 1.1 when negotiating with a remote TLS server.
 (SSL)
 Forces curl to use TLS version 1.2 when negotiating with a remote TLS server.
 (Added in 7.34.0)
+.IP "--tlsv1.3"
+(SSL)
+Forces curl to use TLS version 1.3 when negotiating with a remote TLS server.
+(Added in 7.51.1)
 .IP "--tr-encoding"
 (HTTP) Request a compressed Transfer-Encoding response using one of the
 algorithms curl supports, and uncompress the data while receiving it.
diff --git a/src/tool_getparam.c b/src/tool_getparam.c
index 32fc68b..86a7bb6 100644
--- a/src/tool_getparam.c
+++ b/src/tool_getparam.c
@@ -179,6 +179,7 @@ static const struct LongShort aliases[]= {
   {"10",  "tlsv1.0",                 FALSE},
   {"11",  "tlsv1.1",                 FALSE},
   {"12",  "tlsv1.2",                 FALSE},
+  {"13",  "tlsv1.3",                 FALSE},
   {"2",  "sslv2",                    FALSE},
   {"3",  "sslv3",                    FALSE},
   {"4",  "ipv4",                     FALSE},
@@ -1000,6 +1001,10 @@ ParameterError getparameter(char *flag,    /* f or -long-flag */
         /* TLS version 1.2 */
         config->ssl_version = CURL_SSLVERSION_TLSv1_2;
         break;
+      case '3':
+        /* TLS version 1.3 */
+        config->ssl_version = CURL_SSLVERSION_TLSv1_3;
+        break;
       }
       break;
     case '2':
diff --git a/src/tool_help.c b/src/tool_help.c
index c2883eb..0659db6 100644
--- a/src/tool_help.c
+++ b/src/tool_help.c
@@ -205,6 +205,7 @@ static const char *const helptext[] = {
   "     --tlsv1.0       Use TLSv1.0 (SSL)",
   "     --tlsv1.1       Use TLSv1.1 (SSL)",
   "     --tlsv1.2       Use TLSv1.2 (SSL)",
+  "     --tlsv1.3       Use TLSv1.3 (SSL)",
   "     --trace FILE    Write a debug trace to the given file",
   "     --trace-ascii FILE  Like --trace but without the hex output",
   "     --trace-time    Add time stamps to trace/verbose output",
diff --git a/src/tool_setopt.c b/src/tool_setopt.c
index 5ae32cd..0534118 100644
--- a/src/tool_setopt.c
+++ b/src/tool_setopt.c
@@ -81,6 +81,7 @@ const NameValue setopt_nv_CURL_SSLVERSION[] = {
   NV(CURL_SSLVERSION_TLSv1_0),
   NV(CURL_SSLVERSION_TLSv1_1),
   NV(CURL_SSLVERSION_TLSv1_2),
+  NV(CURL_SSLVERSION_TLSv1_3),
   NVEND,
 };
 
-- 
2.17.2


From 6ffdc6a1ca867c0ed228ffba172cb910b77011f0 Mon Sep 17 00:00:00 2001
From: Jozef Kralik <jozef.kralik@eset.sk>
Date: Tue, 13 Dec 2016 21:10:00 +0100
Subject: [PATCH 3/5] vtls: add options to specify range of enabled TLS
 versions

This commit introduces the CURL_SSLVERSION_MAX_* constants as well as
the --tls-max option of the curl tool.

Closes https://github.com/curl/curl/pull/1166

Upstream-commit: 6448f98c1857de521fb2dd3f9d4e5659845b5474
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
 docs/curl.1                      | 21 ++++++-
 docs/libcurl/curl_easy_setopt.3  | 18 +++++-
 docs/libcurl/symbols-in-versions |  8 ++-
 include/curl/curl.h              | 12 ++++
 lib/nss.c                        | 94 ++++++++++++++++++++++----------
 lib/sslgen.c                     |  2 +
 lib/url.c                        |  7 ++-
 lib/urldata.h                    |  1 +
 src/tool_cfgable.h               |  1 +
 src/tool_getparam.c              |  6 ++
 src/tool_help.c                  |  1 +
 src/tool_operate.c               |  3 +-
 src/tool_paramhlp.c              | 32 +++++++++++
 src/tool_paramhlp.h              |  2 +
 14 files changed, 175 insertions(+), 33 deletions(-)

diff --git a/docs/curl.1 b/docs/curl.1
index 0c5ed9a..35fae14 100644
--- a/docs/curl.1
+++ b/docs/curl.1
@@ -1472,7 +1472,26 @@ Forces curl to use TLS version 1.2 when negotiating with a remote TLS server.
 .IP "--tlsv1.3"
 (SSL)
 Forces curl to use TLS version 1.3 when negotiating with a remote TLS server.
-(Added in 7.51.1)
+(Added in 7.52.0)
+.IP "--tls-max <VERSION>"
+(SSL) VERSION defines maximum supported TLS version. The minimum acceptable version
+is set by tlsv1.0, tlsv1.1, tlsv1.2 or tlsv1.3.
+
+.RS
+.IP "default"
+Use up to recommended TLS version.
+.IP "1.0"
+Use up to TLSv1.0.
+.IP "1.1"
+Use up to TLSv1.1.
+.IP "1.2"
+Use up to TLSv1.2.
+.IP "1.3"
+Use up to TLSv1.3.
+.RE
+
+See also \fI--tlsv1.0\fP and \fI--tlsv1.1\fP and \fI--tlsv1.2\fP and
+\fI--tlsv1.3\fP.  Added in 7.54.0.
 .IP "--tr-encoding"
 (HTTP) Request a compressed Transfer-Encoding response using one of the
 algorithms curl supports, and uncompress the data while receiving it.
diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3
index 226e0ca..55d207e 100644
--- a/docs/libcurl/curl_easy_setopt.3
+++ b/docs/libcurl/curl_easy_setopt.3
@@ -2263,7 +2263,23 @@ Force TLSv1.1 (Added in 7.34.0)
 .IP CURL_SSLVERSION_TLSv1_2
 Force TLSv1.2 (Added in 7.34.0)
 .IP CURL_SSLVERSION_TLSv1_3
-Force TLSv1.3 (Added in 7.51.1)
+Force TLSv1.3 (Added in 7.52.0)
+.IP CURL_SSLVERSION_MAX_DEFAULT
+The flag defines maximum supported TLS version as TLSv1.2 or default
+value from SSL library.
+(Added in 7.54.0)
+.IP CURL_SSLVERSION_MAX_TLSv1_0
+The flag defines maximum supported TLS version as TLSv1.0.
+(Added in 7.54.0)
+.IP CURL_SSLVERSION_MAX_TLSv1_1
+The flag defines maximum supported TLS version as TLSv1.1.
+(Added in 7.54.0)
+.IP CURL_SSLVERSION_MAX_TLSv1_2
+The flag defines maximum supported TLS version as TLSv1.2.
+(Added in 7.54.0)
+.IP CURL_SSLVERSION_MAX_TLSv1_3
+The flag defines maximum supported TLS version as TLSv1.3.
+(Added in 7.54.0)
 .RE
 .IP CURLOPT_SSL_VERIFYPEER
 Pass a long as parameter. By default, curl assumes a value of 1.
diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
index a66bd97..34e0ac3 100644
--- a/docs/libcurl/symbols-in-versions
+++ b/docs/libcurl/symbols-in-versions
@@ -685,7 +685,13 @@ CURL_SSLVERSION_TLSv1           7.9.2
 CURL_SSLVERSION_TLSv1_0         7.34.0
 CURL_SSLVERSION_TLSv1_1         7.34.0
 CURL_SSLVERSION_TLSv1_2         7.34.0
-CURL_SSLVERSION_TLSv1_3         7.51.1
+CURL_SSLVERSION_TLSv1_3         7.52.0
+CURL_SSLVERSION_MAX_NONE        7.54.0
+CURL_SSLVERSION_MAX_DEFAULT     7.54.0
+CURL_SSLVERSION_MAX_TLSv1_0     7.54.0
+CURL_SSLVERSION_MAX_TLSv1_1     7.54.0
+CURL_SSLVERSION_MAX_TLSv1_2     7.54.0
+CURL_SSLVERSION_MAX_TLSv1_3     7.54.0
 CURL_TIMECOND_IFMODSINCE        7.9.7
 CURL_TIMECOND_IFUNMODSINCE      7.9.7
 CURL_TIMECOND_LASTMOD           7.9.7
diff --git a/include/curl/curl.h b/include/curl/curl.h
index 0fb1885..5a46925 100644
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@@ -1650,6 +1650,18 @@ enum {
   CURL_SSLVERSION_LAST /* never use, keep last */
 };
 
+enum {
+  CURL_SSLVERSION_MAX_NONE =     0,
+  CURL_SSLVERSION_MAX_DEFAULT =  (CURL_SSLVERSION_TLSv1   << 16),
+  CURL_SSLVERSION_MAX_TLSv1_0 =  (CURL_SSLVERSION_TLSv1_0 << 16),
+  CURL_SSLVERSION_MAX_TLSv1_1 =  (CURL_SSLVERSION_TLSv1_1 << 16),
+  CURL_SSLVERSION_MAX_TLSv1_2 =  (CURL_SSLVERSION_TLSv1_2 << 16),
+  CURL_SSLVERSION_MAX_TLSv1_3 =  (CURL_SSLVERSION_TLSv1_3 << 16),
+
+  /* never use, keep last */
+  CURL_SSLVERSION_MAX_LAST =     (CURL_SSLVERSION_LAST    << 16)
+};
+
 enum CURL_TLSAUTH {
   CURL_TLSAUTH_NONE,
   CURL_TLSAUTH_SRP,
diff --git a/lib/nss.c b/lib/nss.c
index 8e26d1f..d8e481b 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -1284,67 +1284,105 @@ static CURLcode nss_load_ca_certificates(struct connectdata *conn,
   return CURLE_OK;
 }
 
-static CURLcode nss_init_sslver(SSLVersionRange *sslver,
-                                struct SessionHandle *data)
+static CURLcode nss_sslver_from_curl(PRUint16 *nssver, long version)
 {
-  switch (data->set.ssl.version) {
-  default:
-  case CURL_SSLVERSION_DEFAULT:
-    break;
-
+  switch(version) {
   case CURL_SSLVERSION_TLSv1:
-    sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
 #ifdef SSL_LIBRARY_VERSION_TLS_1_2
-    sslver->max = SSL_LIBRARY_VERSION_TLS_1_2;
+    *nssver = SSL_LIBRARY_VERSION_TLS_1_2;
 #elif defined SSL_LIBRARY_VERSION_TLS_1_1
-    sslver->max = SSL_LIBRARY_VERSION_TLS_1_1;
+    *nssver = SSL_LIBRARY_VERSION_TLS_1_1;
 #else
-    sslver->max = SSL_LIBRARY_VERSION_TLS_1_0;
+    *nssver = SSL_LIBRARY_VERSION_TLS_1_0;
 #endif
     return CURLE_OK;
 
   case CURL_SSLVERSION_SSLv2:
-    sslver->min = SSL_LIBRARY_VERSION_2;
-    sslver->max = SSL_LIBRARY_VERSION_2;
+    *nssver = SSL_LIBRARY_VERSION_2;
     return CURLE_OK;
 
   case CURL_SSLVERSION_SSLv3:
-    sslver->min = SSL_LIBRARY_VERSION_3_0;
-    sslver->max = SSL_LIBRARY_VERSION_3_0;
+    *nssver = SSL_LIBRARY_VERSION_3_0;
     return CURLE_OK;
 
   case CURL_SSLVERSION_TLSv1_0:
-    sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
-    sslver->max = SSL_LIBRARY_VERSION_TLS_1_0;
+    *nssver = SSL_LIBRARY_VERSION_TLS_1_0;
     return CURLE_OK;
 
   case CURL_SSLVERSION_TLSv1_1:
 #ifdef SSL_LIBRARY_VERSION_TLS_1_1
-    sslver->min = SSL_LIBRARY_VERSION_TLS_1_1;
-    sslver->max = SSL_LIBRARY_VERSION_TLS_1_1;
+    *nssver = SSL_LIBRARY_VERSION_TLS_1_1;
     return CURLE_OK;
+#else
+    return CURLE_SSL_CONNECT_ERROR;
 #endif
-    break;
 
   case CURL_SSLVERSION_TLSv1_2:
 #ifdef SSL_LIBRARY_VERSION_TLS_1_2
-    sslver->min = SSL_LIBRARY_VERSION_TLS_1_2;
-    sslver->max = SSL_LIBRARY_VERSION_TLS_1_2;
+    *nssver = SSL_LIBRARY_VERSION_TLS_1_2;
     return CURLE_OK;
+#else
+    return CURLE_SSL_CONNECT_ERROR;
 #endif
-    break;
 
   case CURL_SSLVERSION_TLSv1_3:
 #ifdef SSL_LIBRARY_VERSION_TLS_1_3
-    sslver->min = SSL_LIBRARY_VERSION_TLS_1_3;
-    sslver->max = SSL_LIBRARY_VERSION_TLS_1_3;
+    *nssver = SSL_LIBRARY_VERSION_TLS_1_3;
     return CURLE_OK;
+#else
+    return CURLE_SSL_CONNECT_ERROR;
 #endif
+
+  default:
+    return CURLE_SSL_CONNECT_ERROR;
+  }
+}
+
+static CURLcode nss_init_sslver(SSLVersionRange *sslver,
+                                struct SessionHandle *data)
+{
+  CURLcode result;
+  const long min = data->set.ssl.version;
+  const long max = data->set.ssl.version_max;
+
+  if(min == CURL_SSLVERSION_DEFAULT || max == CURL_SSLVERSION_MAX_DEFAULT) {
+    /* map CURL_SSLVERSION_DEFAULT to NSS default */
+    if(SSL_VersionRangeGetDefault(ssl_variant_stream, sslver) != SECSuccess)
+      return CURLE_SSL_CONNECT_ERROR;
+    /* ... but make sure we use at least TLSv1.0 according to libcurl API */
+    if(sslver->min < SSL_LIBRARY_VERSION_TLS_1_0)
+      sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
+  }
+
+  switch(min) {
+  case CURL_SSLVERSION_DEFAULT:
+    break;
+  case CURL_SSLVERSION_TLSv1:
+    sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
     break;
+  default:
+    result = nss_sslver_from_curl(&sslver->min, min);
+    if(result) {
+      failf(data, "unsupported min version passed via CURLOPT_SSLVERSION");
+      return result;
+    }
+    if(max == CURL_SSLVERSION_MAX_NONE)
+      sslver->max = sslver->min;
+  }
+
+  switch(max) {
+  case CURL_SSLVERSION_MAX_NONE:
+  case CURL_SSLVERSION_MAX_DEFAULT:
+    break;
+  default:
+    result = nss_sslver_from_curl(&sslver->max, max >> 16);
+    if(result) {
+      failf(data, "unsupported max version passed via CURLOPT_SSLVERSION");
+      return result;
+    }
   }
 
-  failf(data, "TLS minor version cannot be set");
-  return CURLE_SSL_CONNECT_ERROR;
+  return CURLE_OK;
 }
 
 static CURLcode nss_fail_connect(struct ssl_connect_data *connssl,
@@ -1400,7 +1438,7 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
   CURLcode curlerr;
 
   SSLVersionRange sslver = {
-    SSL_LIBRARY_VERSION_3_0,      /* min */
+    SSL_LIBRARY_VERSION_TLS_1_0,  /* min */
     SSL_LIBRARY_VERSION_TLS_1_0   /* max */
   };
 
diff --git a/lib/sslgen.c b/lib/sslgen.c
index 79cbb6f..d917f05 100644
--- a/lib/sslgen.c
+++ b/lib/sslgen.c
@@ -86,6 +86,7 @@ Curl_ssl_config_matches(struct ssl_config_data* data,
                         struct ssl_config_data* needle)
 {
   if((data->version == needle->version) &&
+     (data->version_max == needle->version_max) &&
      (data->verifypeer == needle->verifypeer) &&
      (data->verifyhost == needle->verifyhost) &&
      safe_strequal(data->CApath, needle->CApath) &&
@@ -107,6 +108,7 @@ Curl_clone_ssl_config(struct ssl_config_data *source,
   dest->verifyhost = source->verifyhost;
   dest->verifypeer = source->verifypeer;
   dest->version = source->version;
+  dest->version_max = source->version_max;
 
   if(source->CAfile) {
     dest->CAfile = strdup(source->CAfile);
diff --git a/lib/url.c b/lib/url.c
index cb3f3c3..cc099a5 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -667,6 +667,9 @@ CURLcode Curl_open(struct SessionHandle **curl)
   return res;
 }
 
+#define C_SSLVERSION_VALUE(x) (x & 0xffff)
+#define C_SSLVERSION_MAX_VALUE(x) (x & 0xffff0000)
+
 CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,
                      va_list param)
 {
@@ -882,7 +885,9 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,
      * Set explicit SSL version to try to connect with, as some SSL
      * implementations are lame.
      */
-    data->set.ssl.version = va_arg(param, long);
+    arg = va_arg(param, long);
+    data->set.ssl.version = C_SSLVERSION_VALUE(arg);
+    data->set.ssl.version_max = C_SSLVERSION_MAX_VALUE(arg);
     break;
 
 #ifndef CURL_DISABLE_HTTP
diff --git a/lib/urldata.h b/lib/urldata.h
index d10c784..a5027ed 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -335,6 +335,7 @@ struct ssl_connect_data {
 
 struct ssl_config_data {
   long version;          /* what version the client wants to use */
+  long version_max;      /* max supported version the client wants to use*/
   long certverifyresult; /* result from the certificate verification */
 
   bool verifypeer;       /* set TRUE if this is desired */
diff --git a/src/tool_cfgable.h b/src/tool_cfgable.h
index 68d0297..5f45f63 100644
--- a/src/tool_cfgable.h
+++ b/src/tool_cfgable.h
@@ -146,6 +146,7 @@ struct Configurable {
   struct curl_slist *postquote;
   struct curl_slist *prequote;
   long ssl_version;
+  long ssl_version_max;
   long ip_version;
   curl_TimeCond timecond;
   time_t condtime;
diff --git a/src/tool_getparam.c b/src/tool_getparam.c
index 86a7bb6..9a228b9 100644
--- a/src/tool_getparam.c
+++ b/src/tool_getparam.c
@@ -174,6 +174,7 @@ static const struct LongShort aliases[]= {
   {"$I", "post303",                  FALSE},
   {"$J", "metalink",                 FALSE},
   {"$M", "unix-socket",              TRUE},
+  {"$X", "tls-max",                  TRUE},
   {"0",  "http1.0",                  FALSE},
   {"1",  "tlsv1",                    FALSE},
   {"10",  "tlsv1.0",                 FALSE},
@@ -968,6 +969,11 @@ ParameterError getparameter(char *flag,    /* f or -long-flag */
       case 'M': /* --unix-socket */
         GetStr(&config->unix_socket_path, nextarg);
         break;
+      case 'X': /* --tls-max */
+        err = str2tls_max(&config->ssl_version_max, nextarg);
+        if(err)
+          return err;
+        break;
       }
       break;
     case '#': /* --progress-bar */
diff --git a/src/tool_help.c b/src/tool_help.c
index 0659db6..3eeef6d 100644
--- a/src/tool_help.c
+++ b/src/tool_help.c
@@ -206,6 +206,7 @@ static const char *const helptext[] = {
   "     --tlsv1.1       Use TLSv1.1 (SSL)",
   "     --tlsv1.2       Use TLSv1.2 (SSL)",
   "     --tlsv1.3       Use TLSv1.3 (SSL)",
+  "     --tls-max VERSION  Use TLS up to VERSION (SSL)",
   "     --trace FILE    Write a debug trace to the given file",
   "     --trace-ascii FILE  Like --trace but without the hex output",
   "     --trace-time    Add time stamps to trace/verbose output",
diff --git a/src/tool_operate.c b/src/tool_operate.c
index 185f9c6..052def1 100644
--- a/src/tool_operate.c
+++ b/src/tool_operate.c
@@ -1109,7 +1109,8 @@ int operate(struct Configurable *config, int argc, argv_item_t argv[])
         }
 #endif
 
-        my_setopt_enum(curl, CURLOPT_SSLVERSION, config->ssl_version);
+        my_setopt_enum(curl, CURLOPT_SSLVERSION,
+                       config->ssl_version | config->ssl_version_max);
         my_setopt_enum(curl, CURLOPT_TIMECONDITION, config->timecond);
         my_setopt(curl, CURLOPT_TIMEVALUE, config->condtime);
         my_setopt_str(curl, CURLOPT_CUSTOMREQUEST, config->customrequest);
diff --git a/src/tool_paramhlp.c b/src/tool_paramhlp.c
index 5d6f8bb..5ceddb2 100644
--- a/src/tool_paramhlp.c
+++ b/src/tool_paramhlp.c
@@ -405,3 +405,35 @@ long delegation(struct Configurable *config, char *str)
   return CURLGSSAPI_DELEGATION_NONE;
 }
 
+/*
+ * Parse the string and modify ssl_version in the val argument. Return PARAM_OK
+ * on success, otherwise a parameter error enum. ONLY ACCEPTS POSITIVE NUMBERS!
+ *
+ * Since this function gets called with the 'nextarg' pointer from within the
+ * getparameter a lot, we must check it for NULL before accessing the str
+ * data.
+ */
+
+ParameterError str2tls_max(long *val, const char *str)
+{
+   static struct s_tls_max {
+    const char *tls_max_str;
+    long tls_max;
+  } const tls_max_array[] = {
+    { "default", CURL_SSLVERSION_MAX_DEFAULT },
+    { "1.0",     CURL_SSLVERSION_MAX_TLSv1_0 },
+    { "1.1",     CURL_SSLVERSION_MAX_TLSv1_1 },
+    { "1.2",     CURL_SSLVERSION_MAX_TLSv1_2 },
+    { "1.3",     CURL_SSLVERSION_MAX_TLSv1_3 }
+  };
+  size_t i = 0;
+  if(!str)
+    return PARAM_REQUIRES_PARAMETER;
+  for(i = 0; i < sizeof(tls_max_array)/sizeof(tls_max_array[0]); i++) {
+    if(!strcmp(str, tls_max_array[i].tls_max_str)) {
+      *val = tls_max_array[i].tls_max;
+      return PARAM_OK;
+    }
+  }
+  return PARAM_BAD_USE;
+}
diff --git a/src/tool_paramhlp.h b/src/tool_paramhlp.h
index de1604e..c848d1c 100644
--- a/src/tool_paramhlp.h
+++ b/src/tool_paramhlp.h
@@ -48,5 +48,7 @@ int ftpcccmethod(struct Configurable *config, const char *str);
 
 long delegation(struct Configurable *config, char *str);
 
+ParameterError str2tls_max(long *val, const char *str);
+
 #endif /* HEADER_CURL_TOOL_PARAMHLP_H */
 
-- 
2.20.1


From 6a332224ba66b7ad21f6a874af94c1b7441ca19f Mon Sep 17 00:00:00 2001
From: Hubert Kario <hkario@redhat.com>
Date: Fri, 17 May 2019 17:15:24 +0000
Subject: [PATCH 4/5] nss: allow to specify TLS 1.3 ciphers if supported by NSS

Closes #3916

Upstream-commit: 319ae9075efba769c9d5e98e827bb325ad0fcb6f
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
 lib/nss.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lib/nss.c b/lib/nss.c
index d8e481b..330387c 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -195,6 +195,11 @@ static const cipher_s cipherlist[] = {
  {"dhe_rsa_chacha20_poly1305_sha_256",
      TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
 #endif
+#ifdef TLS_AES_256_GCM_SHA384
+ {"aes_128_gcm_sha_256",              TLS_AES_128_GCM_SHA256},
+ {"aes_256_gcm_sha_384",              TLS_AES_256_GCM_SHA384},
+ {"chacha20_poly1305_sha_256",        TLS_CHACHA20_POLY1305_SHA256},
+#endif
 };
 
 static const char* pem_library = "libnsspem.so";
-- 
2.20.1


From 268dcd88beb3d270d5aaeda473d51550ea9a3f84 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Mon, 3 Jun 2019 12:31:21 +0200
Subject: [PATCH 5/5] nss: make `curl --tlsv1` compatible with
 curl-7.29.0-52.el7

---
 lib/nss.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/nss.c b/lib/nss.c
index 330387c..f963c63 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -1350,7 +1350,9 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
   const long min = data->set.ssl.version;
   const long max = data->set.ssl.version_max;
 
-  if(min == CURL_SSLVERSION_DEFAULT || max == CURL_SSLVERSION_MAX_DEFAULT) {
+  if(min == CURL_SSLVERSION_DEFAULT || max == CURL_SSLVERSION_MAX_DEFAULT
+      || min == CURL_SSLVERSION_TLSv1)
+  {
     /* map CURL_SSLVERSION_DEFAULT to NSS default */
     if(SSL_VersionRangeGetDefault(ssl_variant_stream, sslver) != SECSuccess)
       return CURLE_SSL_CONNECT_ERROR;
-- 
2.20.1