]> granicus.if.org Git - curl/commitdiff
nss: map CURL_SSLVERSION_DEFAULT to NSS default
authorKamil Dudka <kdudka@redhat.com>
Thu, 27 Oct 2016 12:27:25 +0000 (14:27 +0200)
committerKamil Dudka <kdudka@redhat.com>
Mon, 7 Nov 2016 10:51:33 +0000 (11:51 +0100)
... but make sure we use at least TLSv1.0 according to libcurl API

Reported-by: Cure53
Reviewed-by: Ray Satiro
RELEASE-NOTES
lib/vtls/nss.c

index d224476d50233fb428d65aabe0da258adfee2dcb..9a4737820f4c52f0997c6876df15b747895b37ea 100644 (file)
@@ -8,6 +8,7 @@ Curl and libcurl 7.51.1
 
 This release includes the following changes:
 
+ o nss: map CURL_SSLVERSION_DEFAULT to NSS default
  o
 
 This release includes the following bugfixes:
index dff15758f785f8e3ee3bd8cf65a75359f67d67b2..5abb574271e7592a85526d45bbb7e89abd40171a 100644 (file)
@@ -1489,10 +1489,18 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
                                 struct Curl_easy *data)
 {
   switch(data->set.ssl.version) {
-  default:
   case CURL_SSLVERSION_DEFAULT:
+    /* map CURL_SSLVERSION_DEFAULT to NSS default */
+    if(SSL_VersionRangeGetDefault(ssl_variant_stream, sslver) != SECSuccess)
+      return CURLE_SSL_CONNECT_ERROR;
+    /* ... but make sure we use at least TLSv1.0 according to libcurl API */
+    if(sslver->min < SSL_LIBRARY_VERSION_TLS_1_0)
+      sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
+    return CURLE_OK;
+
   case CURL_SSLVERSION_TLSv1:
     sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
+    /* TODO: set sslver->max to SSL_LIBRARY_VERSION_TLS_1_3 once stable */
 #ifdef SSL_LIBRARY_VERSION_TLS_1_2
     sslver->max = SSL_LIBRARY_VERSION_TLS_1_2;
 #elif defined SSL_LIBRARY_VERSION_TLS_1_1
@@ -1532,6 +1540,10 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
     return CURLE_OK;
 #endif
     break;
+
+  default:
+    /* unsupported SSL/TLS version */
+    break;
   }
 
   failf(data, "TLS minor version cannot be set");