openssl/gnutls: rectify the TLS version checks for QUIC

author Daniel Stenberg <daniel@haxx.se>

Mon, 27 May 2024 21:12:27 +0000 (23:12 +0200)

committer Daniel Stenberg <daniel@haxx.se>

Tue, 28 May 2024 08:39:02 +0000 (10:39 +0200)
author Daniel Stenberg <daniel@haxx.se>
Mon, 27 May 2024 21:12:27 +0000 (23:12 +0200)
committer Daniel Stenberg <daniel@haxx.se>
Tue, 28 May 2024 08:39:02 +0000 (10:39 +0200)
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c

index 262933e50e1b300ba35b7e3cca7c2777cd2199e4..8de95df0c23048ffdccc3a2468a7851432c83c88 100644 (file)
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -376,9 +376,15 @@ set_ssl_version_min_max(struct Curl_easy *data,
    long ssl_version = conn_config->version;
    long ssl_version_max = conn_config->version_max;
  
+  if((ssl_version == CURL_SSLVERSION_DEFAULT) ||
+     (ssl_version == CURL_SSLVERSION_TLSv1))
+    ssl_version = CURL_SSLVERSION_TLSv1_0;
+  if(ssl_version_max == CURL_SSLVERSION_MAX_NONE)
+    ssl_version_max = CURL_SSLVERSION_MAX_DEFAULT;
+
    if(peer->transport == TRNSPRT_QUIC) {
-    if((ssl_version != CURL_SSLVERSION_DEFAULT) &&
-       (ssl_version < CURL_SSLVERSION_TLSv1_3)) {
+    if((ssl_version_max != CURL_SSLVERSION_MAX_DEFAULT) &&
+       (ssl_version_max < CURL_SSLVERSION_MAX_TLSv1_3)) {
        failf(data, "QUIC needs at least TLS version 1.3");
        return CURLE_SSL_CONNECT_ERROR;
       }
@@ -386,11 +392,6 @@ set_ssl_version_min_max(struct Curl_easy *data,
      return CURLE_OK;
    }
  
-  if((ssl_version == CURL_SSLVERSION_DEFAULT) ||
-     (ssl_version == CURL_SSLVERSION_TLSv1))
-    ssl_version = CURL_SSLVERSION_TLSv1_0;
-  if(ssl_version_max == CURL_SSLVERSION_MAX_NONE)
-    ssl_version_max = CURL_SSLVERSION_MAX_DEFAULT;
    if(!tls13support) {
      /* If the running GnuTLS doesn't support TLS 1.3, we must not specify a
         prioritylist involving that since it will make GnuTLS return an en
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c

index 57962484895aef1231f6d665573856e97914720f..fc0c1c35f5cb494cb4380249d5feae73cc9cb00f 100644 (file)
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -3531,7 +3531,7 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx,
    void *ssl_sessionid = NULL;
    struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
    struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
-  const long int ssl_version = conn_config->version;
+  const long int ssl_version_min = conn_config->version;
    char * const ssl_cert = ssl_config->primary.clientcert;
    const struct curl_blob *ssl_cert_blob = ssl_config->primary.cert_blob;
    const char * const ssl_cert_type = ssl_config->cert_type;
@@ -3551,7 +3551,7 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx,
    switch(transport) {
    case TRNSPRT_TCP:
      /* check to see if we've been told to use an explicit SSL/TLS version */
-    switch(ssl_version) {
+    switch(ssl_version_min) {
      case CURL_SSLVERSION_DEFAULT:
      case CURL_SSLVERSION_TLSv1:
      case CURL_SSLVERSION_TLSv1_0:
@@ -3577,11 +3577,12 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx,
      }
      break;
    case TRNSPRT_QUIC:
-    if((ssl_version != CURL_SSLVERSION_DEFAULT) &&
-       (ssl_version < CURL_SSLVERSION_TLSv1_3)) {
+    if(conn_config->version_max &&
+       (conn_config->version_max != CURL_SSLVERSION_MAX_TLSv1_3)) {
        failf(data, "QUIC needs at least TLS version 1.3");
        return CURLE_SSL_CONNECT_ERROR;
-     }
+    }
+
  #ifdef USE_OPENSSL_QUIC
      req_method = OSSL_QUIC_client_method();
  #elif (OPENSSL_VERSION_NUMBER >= 0x10100000L)
@@ -3677,7 +3678,7 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx,
      ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
  #endif
  
-  switch(ssl_version) {
+  switch(ssl_version_min) {
    case CURL_SSLVERSION_SSLv2:
    case CURL_SSLVERSION_SSLv3:
      return CURLE_NOT_BUILT_IN;
author	Daniel Stenberg <daniel@haxx.se>
	Mon, 27 May 2024 21:12:27 +0000 (23:12 +0200)
committer	Daniel Stenberg <daniel@haxx.se>
	Tue, 28 May 2024 08:39:02 +0000 (10:39 +0200)
lib/vtls/gtls.c		patch \| blob \| blame \| history
lib/vtls/openssl.c		patch \| blob \| blame \| history