nss: map CURL_SSLVERSION_DEFAULT to NSS default

... but make sure we use at least TLSv1.0 according to libcurl API

Reported-by: Cure53
Reviewed-by: Ray Satiro

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index d224476d50233fb428d65aabe0da258adfee2dcb..9a4737820f4c52f0997c6876df15b747895b37ea 100644 (file)
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -8,6 +8,7 @@ Curl and libcurl 7.51.1
 
 This release includes the following changes:
 
+ o nss: map CURL_SSLVERSION_DEFAULT to NSS default
  o
 
 This release includes the following bugfixes:

diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index dff15758f785f8e3ee3bd8cf65a75359f67d67b2..5abb574271e7592a85526d45bbb7e89abd40171a 100644 (file)
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -1489,10 +1489,18 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
                                 struct Curl_easy *data)
 {
   switch(data->set.ssl.version) {
-  default:
   case CURL_SSLVERSION_DEFAULT:
+    /* map CURL_SSLVERSION_DEFAULT to NSS default */
+    if(SSL_VersionRangeGetDefault(ssl_variant_stream, sslver) != SECSuccess)
+      return CURLE_SSL_CONNECT_ERROR;
+    /* ... but make sure we use at least TLSv1.0 according to libcurl API */
+    if(sslver->min < SSL_LIBRARY_VERSION_TLS_1_0)
+      sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
+    return CURLE_OK;
+
   case CURL_SSLVERSION_TLSv1:
     sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
+    /* TODO: set sslver->max to SSL_LIBRARY_VERSION_TLS_1_3 once stable */
 #ifdef SSL_LIBRARY_VERSION_TLS_1_2
     sslver->max = SSL_LIBRARY_VERSION_TLS_1_2;
 #elif defined SSL_LIBRARY_VERSION_TLS_1_1
@@ -1532,6 +1540,10 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
     return CURLE_OK;
 #endif
     break;
+
+  default:
+    /* unsupported SSL/TLS version */
+    break;
   }
 
   failf(data, "TLS minor version cannot be set");