http://sourceforge.net/tracker/index.php?func=detail&aid=
1767276&group_id=976&atid=350976
Submitted by Kaspar Brand.
The available options are:
.RS
.IP CURL_SSLVERSION_DEFAULT
-The default action. When libcurl built with OpenSSL or NSS, this will attempt
-to figure out the remote SSL protocol version. Unfortunately there are a lot of
-ancient and broken servers in use which cannot handle this technique and will
-fail to connect. When libcurl is built with GnuTLS, this will mean SSLv3.
+The default action. This will attempt to figure out the remote SSL protocol
+version, i.e. either SSLv3 or TLSv1 (but not SSLv2, which became disabled
+by default with 7.18.1).
.IP CURL_SSLVERSION_TLSv1
Force TLSv1
.IP CURL_SSLVERSION_SSLv2
switch (data->set.ssl.version) {
default:
case CURL_SSLVERSION_DEFAULT:
- ssl2 = ssl3 = tlsv1 = PR_TRUE;
+ ssl3 = tlsv1 = PR_TRUE;
break;
case CURL_SSLVERSION_TLSv1:
tlsv1 = PR_TRUE;
if(SSL_OptionSet(model, SSL_ENABLE_TLS, tlsv1) != SECSuccess)
goto error;
+ if(SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, ssl2) != SECSuccess)
+ goto error;
+
if(data->set.ssl.cipher_list) {
if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) {
curlerr = CURLE_SSL_CIPHER;
memset((char *) &initappstr, 0, sizeof initappstr);
initappstr.applicationID = certname;
initappstr.applicationIDLen = strlen(certname);
- initappstr.protocol = SSL_VERSION_CURRENT;
+ initappstr.protocol = TLSV1_SSLV3;
initappstr.sessionType = SSL_REGISTERED_AS_CLIENT;
rc = SSL_Init_Application(&initappstr);
default:
case CURL_SSLVERSION_DEFAULT:
- h->protocol = SSL_VERSION_CURRENT;
+ h->protocol = TLSV1_SSLV3;
break;
case CURL_SSLVERSION_TLSv1:
*/
SSL_CTX_set_options(connssl->ctx, SSL_OP_ALL);
+ /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */
+ if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT)
+ SSL_CTX_set_options(connssl->ctx, SSL_OP_NO_SSLv2);
+
#if 0
/*
* Not sure it's needed to tell SSL_connect() that socket is
projects / thirdparty / curl.git / commitdiff
