From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 4 Nov 2025 09:17:28 +0000 (+0100)
Subject: openssl: remove code handling default version
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a8bef390360518d6e89e17d975ac0210cb3b9a8c;p=thirdparty%2Fcurl.git

openssl: remove code handling default version

Since it is no longer actually kept as default internally, that's just
dead code.

Follow-up to 9d8998c99408e1adf8eba629fad9f
Closes #19354
---

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 764d829325..87b00cc252 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2904,6 +2904,8 @@ ossl_set_ssl_version_min_max(struct Curl_cfilter *cf, SSL_CTX *ctx,
   long ossl_ssl_version_min = 0;
   long ossl_ssl_version_max = 0;
 #endif
+  /* it cannot be default here */
+  DEBUGASSERT(curl_ssl_version_min != CURL_SSLVERSION_DEFAULT);
   switch(curl_ssl_version_min) {
   case CURL_SSLVERSION_TLSv1: /* TLS 1.x */
   case CURL_SSLVERSION_TLSv1_0:
@@ -2924,18 +2926,6 @@ ossl_set_ssl_version_min_max(struct Curl_cfilter *cf, SSL_CTX *ctx,
 #endif
   }
 
-  /* CURL_SSLVERSION_DEFAULT means that no option was selected.
-     We do not want to pass 0 to SSL_CTX_set_min_proto_version as
-     it would enable all versions down to the lowest supported by
-     the library.
-     So we skip this, and stay with the library default
-  */
-  if(curl_ssl_version_min != CURL_SSLVERSION_DEFAULT) {
-    if(!SSL_CTX_set_min_proto_version(ctx, ossl_ssl_version_min)) {
-      return CURLE_SSL_CONNECT_ERROR;
-    }
-  }
-
   /* ... then, TLS max version */
   curl_ssl_version_max = (long)conn_config->version_max;
 
@@ -2965,9 +2955,9 @@ ossl_set_ssl_version_min_max(struct Curl_cfilter *cf, SSL_CTX *ctx,
     break;
   }
 
-  if(!SSL_CTX_set_max_proto_version(ctx, ossl_ssl_version_max)) {
+  if(!SSL_CTX_set_min_proto_version(ctx, ossl_ssl_version_min) ||
+     !SSL_CTX_set_max_proto_version(ctx, ossl_ssl_version_max))
     return CURLE_SSL_CONNECT_ERROR;
-  }
 
   return CURLE_OK;
 }