From 0c36569c6541ed1eb924ccd60dea5caca0d1e957 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 27 Oct 2016 14:57:11 +0200 Subject: [PATCH 1/5] vtls: support TLS 1.3 via CURL_SSLVERSION_TLSv1_3 Fully implemented with the NSS backend only for now. Reviewed-by: Ray Satiro Upstream-commit: 6ad3add60654182a747f5971afb40817488ef0e8 Signed-off-by: Kamil Dudka --- docs/libcurl/curl_easy_setopt.3 | 2 ++ docs/libcurl/symbols-in-versions | 1 + include/curl/curl.h | 1 + lib/nss.c | 8 ++++++++ packages/OS400/curl.inc.in | 2 ++ 5 files changed, 14 insertions(+) diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3 index 17b632f..226e0ca 100644 --- a/docs/libcurl/curl_easy_setopt.3 +++ b/docs/libcurl/curl_easy_setopt.3 @@ -2262,6 +2262,8 @@ Force TLSv1.0 (Added in 7.34.0) Force TLSv1.1 (Added in 7.34.0) .IP CURL_SSLVERSION_TLSv1_2 Force TLSv1.2 (Added in 7.34.0) +.IP CURL_SSLVERSION_TLSv1_3 +Force TLSv1.3 (Added in 7.51.1) .RE .IP CURLOPT_SSL_VERIFYPEER Pass a long as parameter. By default, curl assumes a value of 1. diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions index e2cce4c..a66bd97 100644 --- a/docs/libcurl/symbols-in-versions +++ b/docs/libcurl/symbols-in-versions @@ -685,6 +685,7 @@ CURL_SSLVERSION_TLSv1 7.9.2 CURL_SSLVERSION_TLSv1_0 7.34.0 CURL_SSLVERSION_TLSv1_1 7.34.0 CURL_SSLVERSION_TLSv1_2 7.34.0 +CURL_SSLVERSION_TLSv1_3 7.51.1 CURL_TIMECOND_IFMODSINCE 7.9.7 CURL_TIMECOND_IFUNMODSINCE 7.9.7 CURL_TIMECOND_LASTMOD 7.9.7 diff --git a/include/curl/curl.h b/include/curl/curl.h index 8b639fa..0fb1885 100644 --- a/include/curl/curl.h +++ b/include/curl/curl.h @@ -1645,6 +1645,7 @@ enum { CURL_SSLVERSION_TLSv1_0, CURL_SSLVERSION_TLSv1_1, CURL_SSLVERSION_TLSv1_2, + CURL_SSLVERSION_TLSv1_3, CURL_SSLVERSION_LAST /* never use, keep last */ }; diff --git a/lib/nss.c b/lib/nss.c index 31e5d75..8e26d1f 100644 --- a/lib/nss.c +++ b/lib/nss.c @@ -1331,6 +1331,14 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver, sslver->min = SSL_LIBRARY_VERSION_TLS_1_2; sslver->max = SSL_LIBRARY_VERSION_TLS_1_2; return CURLE_OK; +#endif + break; + + case CURL_SSLVERSION_TLSv1_3: +#ifdef SSL_LIBRARY_VERSION_TLS_1_3 + sslver->min = SSL_LIBRARY_VERSION_TLS_1_3; + sslver->max = SSL_LIBRARY_VERSION_TLS_1_3; + return CURLE_OK; #endif break; } diff --git a/packages/OS400/curl.inc.in b/packages/OS400/curl.inc.in index 22a5511..30e6506 100644 --- a/packages/OS400/curl.inc.in +++ b/packages/OS400/curl.inc.in @@ -232,6 +232,8 @@ d c 5 d CURL_SSLVERSION_TLSv1_2... d c 6 + d CURL_SSLVERSION_TLSv1_3... + d c 7 * d CURL_TLSAUTH_NONE... d c 0 -- 2.17.2 From d18da081cc26df5605b5a2995615660eb3270712 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 27 Oct 2016 14:58:43 +0200 Subject: [PATCH 2/5] curl: introduce the --tlsv1.3 option to force TLS 1.3 Fully implemented with the NSS backend only for now. Reviewed-by: Ray Satiro Upstream-commit: a110a03b43057879643046538c79cc9dd20d399a Signed-off-by: Kamil Dudka --- docs/curl.1 | 10 +++++++--- src/tool_getparam.c | 5 +++++ src/tool_help.c | 1 + src/tool_setopt.c | 1 + 4 files changed, 14 insertions(+), 3 deletions(-) diff --git a/docs/curl.1 b/docs/curl.1 index a26b03c..0c5ed9a 100644 --- a/docs/curl.1 +++ b/docs/curl.1 @@ -118,9 +118,9 @@ internally preferred: HTTP 1.1. .IP "-1, --tlsv1" (SSL) Forces curl to use TLS version 1.x when negotiating with a remote TLS server. -You can use options \fI--tlsv1.0\fP, \fI--tlsv1.1\fP, and \fI--tlsv1.2\fP to -control the TLS version more precisely (if the SSL backend in use supports such -a level of control). +You can use options \fI--tlsv1.0\fP, \fI--tlsv1.1\fP, \fI--tlsv1.2\fP, and +\fI--tlsv1.3\fP to control the TLS version more precisely (if the SSL backend +in use supports such a level of control). .IP "-2, --sslv2" (SSL) Forces curl to use SSL version 2 when negotiating with a remote SSL server. @@ -1469,6 +1469,10 @@ Forces curl to use TLS version 1.1 when negotiating with a remote TLS server. (SSL) Forces curl to use TLS version 1.2 when negotiating with a remote TLS server. (Added in 7.34.0) +.IP "--tlsv1.3" +(SSL) +Forces curl to use TLS version 1.3 when negotiating with a remote TLS server. +(Added in 7.51.1) .IP "--tr-encoding" (HTTP) Request a compressed Transfer-Encoding response using one of the algorithms curl supports, and uncompress the data while receiving it. diff --git a/src/tool_getparam.c b/src/tool_getparam.c index 32fc68b..86a7bb6 100644 --- a/src/tool_getparam.c +++ b/src/tool_getparam.c @@ -179,6 +179,7 @@ static const struct LongShort aliases[]= { {"10", "tlsv1.0", FALSE}, {"11", "tlsv1.1", FALSE}, {"12", "tlsv1.2", FALSE}, + {"13", "tlsv1.3", FALSE}, {"2", "sslv2", FALSE}, {"3", "sslv3", FALSE}, {"4", "ipv4", FALSE}, @@ -1000,6 +1001,10 @@ ParameterError getparameter(char *flag, /* f or -long-flag */ /* TLS version 1.2 */ config->ssl_version = CURL_SSLVERSION_TLSv1_2; break; + case '3': + /* TLS version 1.3 */ + config->ssl_version = CURL_SSLVERSION_TLSv1_3; + break; } break; case '2': diff --git a/src/tool_help.c b/src/tool_help.c index c2883eb..0659db6 100644 --- a/src/tool_help.c +++ b/src/tool_help.c @@ -205,6 +205,7 @@ static const char *const helptext[] = { " --tlsv1.0 Use TLSv1.0 (SSL)", " --tlsv1.1 Use TLSv1.1 (SSL)", " --tlsv1.2 Use TLSv1.2 (SSL)", + " --tlsv1.3 Use TLSv1.3 (SSL)", " --trace FILE Write a debug trace to the given file", " --trace-ascii FILE Like --trace but without the hex output", " --trace-time Add time stamps to trace/verbose output", diff --git a/src/tool_setopt.c b/src/tool_setopt.c index 5ae32cd..0534118 100644 --- a/src/tool_setopt.c +++ b/src/tool_setopt.c @@ -81,6 +81,7 @@ const NameValue setopt_nv_CURL_SSLVERSION[] = { NV(CURL_SSLVERSION_TLSv1_0), NV(CURL_SSLVERSION_TLSv1_1), NV(CURL_SSLVERSION_TLSv1_2), + NV(CURL_SSLVERSION_TLSv1_3), NVEND, }; -- 2.17.2 From 6ffdc6a1ca867c0ed228ffba172cb910b77011f0 Mon Sep 17 00:00:00 2001 From: Jozef Kralik Date: Tue, 13 Dec 2016 21:10:00 +0100 Subject: [PATCH 3/5] vtls: add options to specify range of enabled TLS versions This commit introduces the CURL_SSLVERSION_MAX_* constants as well as the --tls-max option of the curl tool. Closes https://github.com/curl/curl/pull/1166 Upstream-commit: 6448f98c1857de521fb2dd3f9d4e5659845b5474 Signed-off-by: Kamil Dudka --- docs/curl.1 | 21 ++++++- docs/libcurl/curl_easy_setopt.3 | 18 +++++- docs/libcurl/symbols-in-versions | 8 ++- include/curl/curl.h | 12 ++++ lib/nss.c | 94 ++++++++++++++++++++++---------- lib/sslgen.c | 2 + lib/url.c | 7 ++- lib/urldata.h | 1 + src/tool_cfgable.h | 1 + src/tool_getparam.c | 6 ++ src/tool_help.c | 1 + src/tool_operate.c | 3 +- src/tool_paramhlp.c | 32 +++++++++++ src/tool_paramhlp.h | 2 + 14 files changed, 175 insertions(+), 33 deletions(-) diff --git a/docs/curl.1 b/docs/curl.1 index 0c5ed9a..35fae14 100644 --- a/docs/curl.1 +++ b/docs/curl.1 @@ -1472,7 +1472,26 @@ Forces curl to use TLS version 1.2 when negotiating with a remote TLS server. .IP "--tlsv1.3" (SSL) Forces curl to use TLS version 1.3 when negotiating with a remote TLS server. -(Added in 7.51.1) +(Added in 7.52.0) +.IP "--tls-max " +(SSL) VERSION defines maximum supported TLS version. The minimum acceptable version +is set by tlsv1.0, tlsv1.1, tlsv1.2 or tlsv1.3. + +.RS +.IP "default" +Use up to recommended TLS version. +.IP "1.0" +Use up to TLSv1.0. +.IP "1.1" +Use up to TLSv1.1. +.IP "1.2" +Use up to TLSv1.2. +.IP "1.3" +Use up to TLSv1.3. +.RE + +See also \fI--tlsv1.0\fP and \fI--tlsv1.1\fP and \fI--tlsv1.2\fP and +\fI--tlsv1.3\fP. Added in 7.54.0. .IP "--tr-encoding" (HTTP) Request a compressed Transfer-Encoding response using one of the algorithms curl supports, and uncompress the data while receiving it. diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3 index 226e0ca..55d207e 100644 --- a/docs/libcurl/curl_easy_setopt.3 +++ b/docs/libcurl/curl_easy_setopt.3 @@ -2263,7 +2263,23 @@ Force TLSv1.1 (Added in 7.34.0) .IP CURL_SSLVERSION_TLSv1_2 Force TLSv1.2 (Added in 7.34.0) .IP CURL_SSLVERSION_TLSv1_3 -Force TLSv1.3 (Added in 7.51.1) +Force TLSv1.3 (Added in 7.52.0) +.IP CURL_SSLVERSION_MAX_DEFAULT +The flag defines maximum supported TLS version as TLSv1.2 or default +value from SSL library. +(Added in 7.54.0) +.IP CURL_SSLVERSION_MAX_TLSv1_0 +The flag defines maximum supported TLS version as TLSv1.0. +(Added in 7.54.0) +.IP CURL_SSLVERSION_MAX_TLSv1_1 +The flag defines maximum supported TLS version as TLSv1.1. +(Added in 7.54.0) +.IP CURL_SSLVERSION_MAX_TLSv1_2 +The flag defines maximum supported TLS version as TLSv1.2. +(Added in 7.54.0) +.IP CURL_SSLVERSION_MAX_TLSv1_3 +The flag defines maximum supported TLS version as TLSv1.3. +(Added in 7.54.0) .RE .IP CURLOPT_SSL_VERIFYPEER Pass a long as parameter. By default, curl assumes a value of 1. diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions index a66bd97..34e0ac3 100644 --- a/docs/libcurl/symbols-in-versions +++ b/docs/libcurl/symbols-in-versions @@ -685,7 +685,13 @@ CURL_SSLVERSION_TLSv1 7.9.2 CURL_SSLVERSION_TLSv1_0 7.34.0 CURL_SSLVERSION_TLSv1_1 7.34.0 CURL_SSLVERSION_TLSv1_2 7.34.0 -CURL_SSLVERSION_TLSv1_3 7.51.1 +CURL_SSLVERSION_TLSv1_3 7.52.0 +CURL_SSLVERSION_MAX_NONE 7.54.0 +CURL_SSLVERSION_MAX_DEFAULT 7.54.0 +CURL_SSLVERSION_MAX_TLSv1_0 7.54.0 +CURL_SSLVERSION_MAX_TLSv1_1 7.54.0 +CURL_SSLVERSION_MAX_TLSv1_2 7.54.0 +CURL_SSLVERSION_MAX_TLSv1_3 7.54.0 CURL_TIMECOND_IFMODSINCE 7.9.7 CURL_TIMECOND_IFUNMODSINCE 7.9.7 CURL_TIMECOND_LASTMOD 7.9.7 diff --git a/include/curl/curl.h b/include/curl/curl.h index 0fb1885..5a46925 100644 --- a/include/curl/curl.h +++ b/include/curl/curl.h @@ -1650,6 +1650,18 @@ enum { CURL_SSLVERSION_LAST /* never use, keep last */ }; +enum { + CURL_SSLVERSION_MAX_NONE = 0, + CURL_SSLVERSION_MAX_DEFAULT = (CURL_SSLVERSION_TLSv1 << 16), + CURL_SSLVERSION_MAX_TLSv1_0 = (CURL_SSLVERSION_TLSv1_0 << 16), + CURL_SSLVERSION_MAX_TLSv1_1 = (CURL_SSLVERSION_TLSv1_1 << 16), + CURL_SSLVERSION_MAX_TLSv1_2 = (CURL_SSLVERSION_TLSv1_2 << 16), + CURL_SSLVERSION_MAX_TLSv1_3 = (CURL_SSLVERSION_TLSv1_3 << 16), + + /* never use, keep last */ + CURL_SSLVERSION_MAX_LAST = (CURL_SSLVERSION_LAST << 16) +}; + enum CURL_TLSAUTH { CURL_TLSAUTH_NONE, CURL_TLSAUTH_SRP, diff --git a/lib/nss.c b/lib/nss.c index 8e26d1f..d8e481b 100644 --- a/lib/nss.c +++ b/lib/nss.c @@ -1284,67 +1284,105 @@ static CURLcode nss_load_ca_certificates(struct connectdata *conn, return CURLE_OK; } -static CURLcode nss_init_sslver(SSLVersionRange *sslver, - struct SessionHandle *data) +static CURLcode nss_sslver_from_curl(PRUint16 *nssver, long version) { - switch (data->set.ssl.version) { - default: - case CURL_SSLVERSION_DEFAULT: - break; - + switch(version) { case CURL_SSLVERSION_TLSv1: - sslver->min = SSL_LIBRARY_VERSION_TLS_1_0; #ifdef SSL_LIBRARY_VERSION_TLS_1_2 - sslver->max = SSL_LIBRARY_VERSION_TLS_1_2; + *nssver = SSL_LIBRARY_VERSION_TLS_1_2; #elif defined SSL_LIBRARY_VERSION_TLS_1_1 - sslver->max = SSL_LIBRARY_VERSION_TLS_1_1; + *nssver = SSL_LIBRARY_VERSION_TLS_1_1; #else - sslver->max = SSL_LIBRARY_VERSION_TLS_1_0; + *nssver = SSL_LIBRARY_VERSION_TLS_1_0; #endif return CURLE_OK; case CURL_SSLVERSION_SSLv2: - sslver->min = SSL_LIBRARY_VERSION_2; - sslver->max = SSL_LIBRARY_VERSION_2; + *nssver = SSL_LIBRARY_VERSION_2; return CURLE_OK; case CURL_SSLVERSION_SSLv3: - sslver->min = SSL_LIBRARY_VERSION_3_0; - sslver->max = SSL_LIBRARY_VERSION_3_0; + *nssver = SSL_LIBRARY_VERSION_3_0; return CURLE_OK; case CURL_SSLVERSION_TLSv1_0: - sslver->min = SSL_LIBRARY_VERSION_TLS_1_0; - sslver->max = SSL_LIBRARY_VERSION_TLS_1_0; + *nssver = SSL_LIBRARY_VERSION_TLS_1_0; return CURLE_OK; case CURL_SSLVERSION_TLSv1_1: #ifdef SSL_LIBRARY_VERSION_TLS_1_1 - sslver->min = SSL_LIBRARY_VERSION_TLS_1_1; - sslver->max = SSL_LIBRARY_VERSION_TLS_1_1; + *nssver = SSL_LIBRARY_VERSION_TLS_1_1; return CURLE_OK; +#else + return CURLE_SSL_CONNECT_ERROR; #endif - break; case CURL_SSLVERSION_TLSv1_2: #ifdef SSL_LIBRARY_VERSION_TLS_1_2 - sslver->min = SSL_LIBRARY_VERSION_TLS_1_2; - sslver->max = SSL_LIBRARY_VERSION_TLS_1_2; + *nssver = SSL_LIBRARY_VERSION_TLS_1_2; return CURLE_OK; +#else + return CURLE_SSL_CONNECT_ERROR; #endif - break; case CURL_SSLVERSION_TLSv1_3: #ifdef SSL_LIBRARY_VERSION_TLS_1_3 - sslver->min = SSL_LIBRARY_VERSION_TLS_1_3; - sslver->max = SSL_LIBRARY_VERSION_TLS_1_3; + *nssver = SSL_LIBRARY_VERSION_TLS_1_3; return CURLE_OK; +#else + return CURLE_SSL_CONNECT_ERROR; #endif + + default: + return CURLE_SSL_CONNECT_ERROR; + } +} + +static CURLcode nss_init_sslver(SSLVersionRange *sslver, + struct SessionHandle *data) +{ + CURLcode result; + const long min = data->set.ssl.version; + const long max = data->set.ssl.version_max; + + if(min == CURL_SSLVERSION_DEFAULT || max == CURL_SSLVERSION_MAX_DEFAULT) { + /* map CURL_SSLVERSION_DEFAULT to NSS default */ + if(SSL_VersionRangeGetDefault(ssl_variant_stream, sslver) != SECSuccess) + return CURLE_SSL_CONNECT_ERROR; + /* ... but make sure we use at least TLSv1.0 according to libcurl API */ + if(sslver->min < SSL_LIBRARY_VERSION_TLS_1_0) + sslver->min = SSL_LIBRARY_VERSION_TLS_1_0; + } + + switch(min) { + case CURL_SSLVERSION_DEFAULT: + break; + case CURL_SSLVERSION_TLSv1: + sslver->min = SSL_LIBRARY_VERSION_TLS_1_0; break; + default: + result = nss_sslver_from_curl(&sslver->min, min); + if(result) { + failf(data, "unsupported min version passed via CURLOPT_SSLVERSION"); + return result; + } + if(max == CURL_SSLVERSION_MAX_NONE) + sslver->max = sslver->min; + } + + switch(max) { + case CURL_SSLVERSION_MAX_NONE: + case CURL_SSLVERSION_MAX_DEFAULT: + break; + default: + result = nss_sslver_from_curl(&sslver->max, max >> 16); + if(result) { + failf(data, "unsupported max version passed via CURLOPT_SSLVERSION"); + return result; + } } - failf(data, "TLS minor version cannot be set"); - return CURLE_SSL_CONNECT_ERROR; + return CURLE_OK; } static CURLcode nss_fail_connect(struct ssl_connect_data *connssl, @@ -1400,7 +1438,7 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) CURLcode curlerr; SSLVersionRange sslver = { - SSL_LIBRARY_VERSION_3_0, /* min */ + SSL_LIBRARY_VERSION_TLS_1_0, /* min */ SSL_LIBRARY_VERSION_TLS_1_0 /* max */ }; diff --git a/lib/sslgen.c b/lib/sslgen.c index 79cbb6f..d917f05 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -86,6 +86,7 @@ Curl_ssl_config_matches(struct ssl_config_data* data, struct ssl_config_data* needle) { if((data->version == needle->version) && + (data->version_max == needle->version_max) && (data->verifypeer == needle->verifypeer) && (data->verifyhost == needle->verifyhost) && safe_strequal(data->CApath, needle->CApath) && @@ -107,6 +108,7 @@ Curl_clone_ssl_config(struct ssl_config_data *source, dest->verifyhost = source->verifyhost; dest->verifypeer = source->verifypeer; dest->version = source->version; + dest->version_max = source->version_max; if(source->CAfile) { dest->CAfile = strdup(source->CAfile); diff --git a/lib/url.c b/lib/url.c index cb3f3c3..cc099a5 100644 --- a/lib/url.c +++ b/lib/url.c @@ -667,6 +667,9 @@ CURLcode Curl_open(struct SessionHandle **curl) return res; } +#define C_SSLVERSION_VALUE(x) (x & 0xffff) +#define C_SSLVERSION_MAX_VALUE(x) (x & 0xffff0000) + CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, va_list param) { @@ -882,7 +885,9 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, * Set explicit SSL version to try to connect with, as some SSL * implementations are lame. */ - data->set.ssl.version = va_arg(param, long); + arg = va_arg(param, long); + data->set.ssl.version = C_SSLVERSION_VALUE(arg); + data->set.ssl.version_max = C_SSLVERSION_MAX_VALUE(arg); break; #ifndef CURL_DISABLE_HTTP diff --git a/lib/urldata.h b/lib/urldata.h index d10c784..a5027ed 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -335,6 +335,7 @@ struct ssl_connect_data { struct ssl_config_data { long version; /* what version the client wants to use */ + long version_max; /* max supported version the client wants to use*/ long certverifyresult; /* result from the certificate verification */ bool verifypeer; /* set TRUE if this is desired */ diff --git a/src/tool_cfgable.h b/src/tool_cfgable.h index 68d0297..5f45f63 100644 --- a/src/tool_cfgable.h +++ b/src/tool_cfgable.h @@ -146,6 +146,7 @@ struct Configurable { struct curl_slist *postquote; struct curl_slist *prequote; long ssl_version; + long ssl_version_max; long ip_version; curl_TimeCond timecond; time_t condtime; diff --git a/src/tool_getparam.c b/src/tool_getparam.c index 86a7bb6..9a228b9 100644 --- a/src/tool_getparam.c +++ b/src/tool_getparam.c @@ -174,6 +174,7 @@ static const struct LongShort aliases[]= { {"$I", "post303", FALSE}, {"$J", "metalink", FALSE}, {"$M", "unix-socket", TRUE}, + {"$X", "tls-max", TRUE}, {"0", "http1.0", FALSE}, {"1", "tlsv1", FALSE}, {"10", "tlsv1.0", FALSE}, @@ -968,6 +969,11 @@ ParameterError getparameter(char *flag, /* f or -long-flag */ case 'M': /* --unix-socket */ GetStr(&config->unix_socket_path, nextarg); break; + case 'X': /* --tls-max */ + err = str2tls_max(&config->ssl_version_max, nextarg); + if(err) + return err; + break; } break; case '#': /* --progress-bar */ diff --git a/src/tool_help.c b/src/tool_help.c index 0659db6..3eeef6d 100644 --- a/src/tool_help.c +++ b/src/tool_help.c @@ -206,6 +206,7 @@ static const char *const helptext[] = { " --tlsv1.1 Use TLSv1.1 (SSL)", " --tlsv1.2 Use TLSv1.2 (SSL)", " --tlsv1.3 Use TLSv1.3 (SSL)", + " --tls-max VERSION Use TLS up to VERSION (SSL)", " --trace FILE Write a debug trace to the given file", " --trace-ascii FILE Like --trace but without the hex output", " --trace-time Add time stamps to trace/verbose output", diff --git a/src/tool_operate.c b/src/tool_operate.c index 185f9c6..052def1 100644 --- a/src/tool_operate.c +++ b/src/tool_operate.c @@ -1109,7 +1109,8 @@ int operate(struct Configurable *config, int argc, argv_item_t argv[]) } #endif - my_setopt_enum(curl, CURLOPT_SSLVERSION, config->ssl_version); + my_setopt_enum(curl, CURLOPT_SSLVERSION, + config->ssl_version | config->ssl_version_max); my_setopt_enum(curl, CURLOPT_TIMECONDITION, config->timecond); my_setopt(curl, CURLOPT_TIMEVALUE, config->condtime); my_setopt_str(curl, CURLOPT_CUSTOMREQUEST, config->customrequest); diff --git a/src/tool_paramhlp.c b/src/tool_paramhlp.c index 5d6f8bb..5ceddb2 100644 --- a/src/tool_paramhlp.c +++ b/src/tool_paramhlp.c @@ -405,3 +405,35 @@ long delegation(struct Configurable *config, char *str) return CURLGSSAPI_DELEGATION_NONE; } +/* + * Parse the string and modify ssl_version in the val argument. Return PARAM_OK + * on success, otherwise a parameter error enum. ONLY ACCEPTS POSITIVE NUMBERS! + * + * Since this function gets called with the 'nextarg' pointer from within the + * getparameter a lot, we must check it for NULL before accessing the str + * data. + */ + +ParameterError str2tls_max(long *val, const char *str) +{ + static struct s_tls_max { + const char *tls_max_str; + long tls_max; + } const tls_max_array[] = { + { "default", CURL_SSLVERSION_MAX_DEFAULT }, + { "1.0", CURL_SSLVERSION_MAX_TLSv1_0 }, + { "1.1", CURL_SSLVERSION_MAX_TLSv1_1 }, + { "1.2", CURL_SSLVERSION_MAX_TLSv1_2 }, + { "1.3", CURL_SSLVERSION_MAX_TLSv1_3 } + }; + size_t i = 0; + if(!str) + return PARAM_REQUIRES_PARAMETER; + for(i = 0; i < sizeof(tls_max_array)/sizeof(tls_max_array[0]); i++) { + if(!strcmp(str, tls_max_array[i].tls_max_str)) { + *val = tls_max_array[i].tls_max; + return PARAM_OK; + } + } + return PARAM_BAD_USE; +} diff --git a/src/tool_paramhlp.h b/src/tool_paramhlp.h index de1604e..c848d1c 100644 --- a/src/tool_paramhlp.h +++ b/src/tool_paramhlp.h @@ -48,5 +48,7 @@ int ftpcccmethod(struct Configurable *config, const char *str); long delegation(struct Configurable *config, char *str); +ParameterError str2tls_max(long *val, const char *str); + #endif /* HEADER_CURL_TOOL_PARAMHLP_H */ -- 2.20.1 From 6a332224ba66b7ad21f6a874af94c1b7441ca19f Mon Sep 17 00:00:00 2001 From: Hubert Kario Date: Fri, 17 May 2019 17:15:24 +0000 Subject: [PATCH 4/5] nss: allow to specify TLS 1.3 ciphers if supported by NSS Closes #3916 Upstream-commit: 319ae9075efba769c9d5e98e827bb325ad0fcb6f Signed-off-by: Kamil Dudka --- lib/nss.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/lib/nss.c b/lib/nss.c index d8e481b..330387c 100644 --- a/lib/nss.c +++ b/lib/nss.c @@ -195,6 +195,11 @@ static const cipher_s cipherlist[] = { {"dhe_rsa_chacha20_poly1305_sha_256", TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256}, #endif +#ifdef TLS_AES_256_GCM_SHA384 + {"aes_128_gcm_sha_256", TLS_AES_128_GCM_SHA256}, + {"aes_256_gcm_sha_384", TLS_AES_256_GCM_SHA384}, + {"chacha20_poly1305_sha_256", TLS_CHACHA20_POLY1305_SHA256}, +#endif }; static const char* pem_library = "libnsspem.so"; -- 2.20.1 From 268dcd88beb3d270d5aaeda473d51550ea9a3f84 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 3 Jun 2019 12:31:21 +0200 Subject: [PATCH 5/5] nss: make `curl --tlsv1` compatible with curl-7.29.0-52.el7 --- lib/nss.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/nss.c b/lib/nss.c index 330387c..f963c63 100644 --- a/lib/nss.c +++ b/lib/nss.c @@ -1350,7 +1350,9 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver, const long min = data->set.ssl.version; const long max = data->set.ssl.version_max; - if(min == CURL_SSLVERSION_DEFAULT || max == CURL_SSLVERSION_MAX_DEFAULT) { + if(min == CURL_SSLVERSION_DEFAULT || max == CURL_SSLVERSION_MAX_DEFAULT + || min == CURL_SSLVERSION_TLSv1) + { /* map CURL_SSLVERSION_DEFAULT to NSS default */ if(SSL_VersionRangeGetDefault(ssl_variant_stream, sslver) != SECSuccess) return CURLE_SSL_CONNECT_ERROR; -- 2.20.1