From 582743f2e74bce21003373c2e6b02ef9661638f7 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 27 May 2024 23:12:27 +0200 Subject: [PATCH] openssl/gnutls: rectify the TLS version checks for QUIC The versions check wrongly complained and return error if the *minimum* version was set to something less than 1.3. QUIC is always TLS 1.3, but that means minimum 1.2 is still fine to ask for. This also renames the local variable to make the mistake harder to make in the future. Regression shipped in 8.8.0 Follow-up to 3210101088dfa3d6a125 Reported-by: fds242 on github Fixes #13799 Closes #13802 --- lib/vtls/gtls.c | 15 ++++++++------- lib/vtls/openssl.c | 13 +++++++------ 2 files changed, 15 insertions(+), 13 deletions(-) diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c index 262933e50e..8de95df0c2 100644 --- a/lib/vtls/gtls.c +++ b/lib/vtls/gtls.c @@ -376,9 +376,15 @@ set_ssl_version_min_max(struct Curl_easy *data, long ssl_version = conn_config->version; long ssl_version_max = conn_config->version_max; + if((ssl_version == CURL_SSLVERSION_DEFAULT) || + (ssl_version == CURL_SSLVERSION_TLSv1)) + ssl_version = CURL_SSLVERSION_TLSv1_0; + if(ssl_version_max == CURL_SSLVERSION_MAX_NONE) + ssl_version_max = CURL_SSLVERSION_MAX_DEFAULT; + if(peer->transport == TRNSPRT_QUIC) { - if((ssl_version != CURL_SSLVERSION_DEFAULT) && - (ssl_version < CURL_SSLVERSION_TLSv1_3)) { + if((ssl_version_max != CURL_SSLVERSION_MAX_DEFAULT) && + (ssl_version_max < CURL_SSLVERSION_MAX_TLSv1_3)) { failf(data, "QUIC needs at least TLS version 1.3"); return CURLE_SSL_CONNECT_ERROR; } @@ -386,11 +392,6 @@ set_ssl_version_min_max(struct Curl_easy *data, return CURLE_OK; } - if((ssl_version == CURL_SSLVERSION_DEFAULT) || - (ssl_version == CURL_SSLVERSION_TLSv1)) - ssl_version = CURL_SSLVERSION_TLSv1_0; - if(ssl_version_max == CURL_SSLVERSION_MAX_NONE) - ssl_version_max = CURL_SSLVERSION_MAX_DEFAULT; if(!tls13support) { /* If the running GnuTLS doesn't support TLS 1.3, we must not specify a prioritylist involving that since it will make GnuTLS return an en diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 5796248489..fc0c1c35f5 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -3531,7 +3531,7 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx, void *ssl_sessionid = NULL; struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data); - const long int ssl_version = conn_config->version; + const long int ssl_version_min = conn_config->version; char * const ssl_cert = ssl_config->primary.clientcert; const struct curl_blob *ssl_cert_blob = ssl_config->primary.cert_blob; const char * const ssl_cert_type = ssl_config->cert_type; @@ -3551,7 +3551,7 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx, switch(transport) { case TRNSPRT_TCP: /* check to see if we've been told to use an explicit SSL/TLS version */ - switch(ssl_version) { + switch(ssl_version_min) { case CURL_SSLVERSION_DEFAULT: case CURL_SSLVERSION_TLSv1: case CURL_SSLVERSION_TLSv1_0: @@ -3577,11 +3577,12 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx, } break; case TRNSPRT_QUIC: - if((ssl_version != CURL_SSLVERSION_DEFAULT) && - (ssl_version < CURL_SSLVERSION_TLSv1_3)) { + if(conn_config->version_max && + (conn_config->version_max != CURL_SSLVERSION_MAX_TLSv1_3)) { failf(data, "QUIC needs at least TLS version 1.3"); return CURLE_SSL_CONNECT_ERROR; - } + } + #ifdef USE_OPENSSL_QUIC req_method = OSSL_QUIC_client_method(); #elif (OPENSSL_VERSION_NUMBER >= 0x10100000L) @@ -3677,7 +3678,7 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx, ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; #endif - switch(ssl_version) { + switch(ssl_version_min) { case CURL_SSLVERSION_SSLv2: case CURL_SSLVERSION_SSLv3: return CURLE_NOT_BUILT_IN;