SSL: Follow up work to commits 6a1363128f1107 and 87861c9b0e8155

Changed the failure code when TLS v1.1 and v1.2 is requested but not
supported by older OpenSSL versions, following review from libcurl
peers, and reduced the number of required preprocessor if statements.

diff --git a/lib/ssluse.c b/lib/ssluse.c
index 0faf43cf3e6276ad576aa634f76997e7a4934157..d0a83f740d19b6a9e75ba804f5545cc7064ec20e 100644 (file)
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@@ -1568,10 +1568,8 @@ ossl_connect_step1(struct connectdata *conn,
   case CURL_SSLVERSION_TLSv1_0:
     ctx_options |= SSL_OP_NO_SSLv2;
     ctx_options |= SSL_OP_NO_SSLv3;
-#if defined(SSL_OP_NO_TLSv1_1)
+#if OPENSSL_VERSION_NUMBER >= 0x1000100FL
     ctx_options |= SSL_OP_NO_TLSv1_1;
-#endif
-#if defined(SSL_OP_NO_TLSv1_2)
     ctx_options |= SSL_OP_NO_TLSv1_2;
 #endif
     break;
@@ -1581,24 +1579,20 @@ ossl_connect_step1(struct connectdata *conn,
     ctx_options |= SSL_OP_NO_SSLv2;
     ctx_options |= SSL_OP_NO_SSLv3;
     ctx_options |= SSL_OP_NO_TLSv1;
-#if defined(SSL_OP_NO_TLSv1_2)
     ctx_options |= SSL_OP_NO_TLSv1_2;
-#endif
     break;
 
   case CURL_SSLVERSION_TLSv1_2:
     ctx_options |= SSL_OP_NO_SSLv2;
     ctx_options |= SSL_OP_NO_SSLv3;
     ctx_options |= SSL_OP_NO_TLSv1;
-#if defined(SSL_OP_NO_TLSv1_1)
     ctx_options |= SSL_OP_NO_TLSv1_1;
-#endif
     break;
 #endif
 
   default:
-    failf(data, "Unsupported cipher version");
-    return CURLE_SSL_CIPHER;
+    failf(data, "Unsupported SSL protocol version");
+    return CURLE_SSL_CONNECT_ERROR;
   }
 
   SSL_CTX_set_options(connssl->ctx, ctx_options);