mirror of
https://github.com/curl/curl.git
synced 2025-01-12 13:55:11 +08:00
openssl/gnutls: rectify the TLS version checks for QUIC
The versions check wrongly complained and return error if the *minimum*
version was set to something less than 1.3. QUIC is always TLS 1.3, but
that means minimum 1.2 is still fine to ask for.
This also renames the local variable to make the mistake harder to make
in the future.
Regression shipped in 8.8.0
Follow-up to 3210101088
Reported-by: fds242 on github
Fixes #13799
Closes #13802
This commit is contained in:
parent
7bbad0c033
commit
582743f2e7
@ -376,9 +376,15 @@ set_ssl_version_min_max(struct Curl_easy *data,
|
|||||||
long ssl_version = conn_config->version;
|
long ssl_version = conn_config->version;
|
||||||
long ssl_version_max = conn_config->version_max;
|
long ssl_version_max = conn_config->version_max;
|
||||||
|
|
||||||
|
if((ssl_version == CURL_SSLVERSION_DEFAULT) ||
|
||||||
|
(ssl_version == CURL_SSLVERSION_TLSv1))
|
||||||
|
ssl_version = CURL_SSLVERSION_TLSv1_0;
|
||||||
|
if(ssl_version_max == CURL_SSLVERSION_MAX_NONE)
|
||||||
|
ssl_version_max = CURL_SSLVERSION_MAX_DEFAULT;
|
||||||
|
|
||||||
if(peer->transport == TRNSPRT_QUIC) {
|
if(peer->transport == TRNSPRT_QUIC) {
|
||||||
if((ssl_version != CURL_SSLVERSION_DEFAULT) &&
|
if((ssl_version_max != CURL_SSLVERSION_MAX_DEFAULT) &&
|
||||||
(ssl_version < CURL_SSLVERSION_TLSv1_3)) {
|
(ssl_version_max < CURL_SSLVERSION_MAX_TLSv1_3)) {
|
||||||
failf(data, "QUIC needs at least TLS version 1.3");
|
failf(data, "QUIC needs at least TLS version 1.3");
|
||||||
return CURLE_SSL_CONNECT_ERROR;
|
return CURLE_SSL_CONNECT_ERROR;
|
||||||
}
|
}
|
||||||
@ -386,11 +392,6 @@ set_ssl_version_min_max(struct Curl_easy *data,
|
|||||||
return CURLE_OK;
|
return CURLE_OK;
|
||||||
}
|
}
|
||||||
|
|
||||||
if((ssl_version == CURL_SSLVERSION_DEFAULT) ||
|
|
||||||
(ssl_version == CURL_SSLVERSION_TLSv1))
|
|
||||||
ssl_version = CURL_SSLVERSION_TLSv1_0;
|
|
||||||
if(ssl_version_max == CURL_SSLVERSION_MAX_NONE)
|
|
||||||
ssl_version_max = CURL_SSLVERSION_MAX_DEFAULT;
|
|
||||||
if(!tls13support) {
|
if(!tls13support) {
|
||||||
/* If the running GnuTLS doesn't support TLS 1.3, we must not specify a
|
/* If the running GnuTLS doesn't support TLS 1.3, we must not specify a
|
||||||
prioritylist involving that since it will make GnuTLS return an en
|
prioritylist involving that since it will make GnuTLS return an en
|
||||||
|
@ -3531,7 +3531,7 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx,
|
|||||||
void *ssl_sessionid = NULL;
|
void *ssl_sessionid = NULL;
|
||||||
struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
|
struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
|
||||||
struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
|
struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
|
||||||
const long int ssl_version = conn_config->version;
|
const long int ssl_version_min = conn_config->version;
|
||||||
char * const ssl_cert = ssl_config->primary.clientcert;
|
char * const ssl_cert = ssl_config->primary.clientcert;
|
||||||
const struct curl_blob *ssl_cert_blob = ssl_config->primary.cert_blob;
|
const struct curl_blob *ssl_cert_blob = ssl_config->primary.cert_blob;
|
||||||
const char * const ssl_cert_type = ssl_config->cert_type;
|
const char * const ssl_cert_type = ssl_config->cert_type;
|
||||||
@ -3551,7 +3551,7 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx,
|
|||||||
switch(transport) {
|
switch(transport) {
|
||||||
case TRNSPRT_TCP:
|
case TRNSPRT_TCP:
|
||||||
/* check to see if we've been told to use an explicit SSL/TLS version */
|
/* check to see if we've been told to use an explicit SSL/TLS version */
|
||||||
switch(ssl_version) {
|
switch(ssl_version_min) {
|
||||||
case CURL_SSLVERSION_DEFAULT:
|
case CURL_SSLVERSION_DEFAULT:
|
||||||
case CURL_SSLVERSION_TLSv1:
|
case CURL_SSLVERSION_TLSv1:
|
||||||
case CURL_SSLVERSION_TLSv1_0:
|
case CURL_SSLVERSION_TLSv1_0:
|
||||||
@ -3577,11 +3577,12 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx,
|
|||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case TRNSPRT_QUIC:
|
case TRNSPRT_QUIC:
|
||||||
if((ssl_version != CURL_SSLVERSION_DEFAULT) &&
|
if(conn_config->version_max &&
|
||||||
(ssl_version < CURL_SSLVERSION_TLSv1_3)) {
|
(conn_config->version_max != CURL_SSLVERSION_MAX_TLSv1_3)) {
|
||||||
failf(data, "QUIC needs at least TLS version 1.3");
|
failf(data, "QUIC needs at least TLS version 1.3");
|
||||||
return CURLE_SSL_CONNECT_ERROR;
|
return CURLE_SSL_CONNECT_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef USE_OPENSSL_QUIC
|
#ifdef USE_OPENSSL_QUIC
|
||||||
req_method = OSSL_QUIC_client_method();
|
req_method = OSSL_QUIC_client_method();
|
||||||
#elif (OPENSSL_VERSION_NUMBER >= 0x10100000L)
|
#elif (OPENSSL_VERSION_NUMBER >= 0x10100000L)
|
||||||
@ -3677,7 +3678,7 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx,
|
|||||||
ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
|
ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
switch(ssl_version) {
|
switch(ssl_version_min) {
|
||||||
case CURL_SSLVERSION_SSLv2:
|
case CURL_SSLVERSION_SSLv2:
|
||||||
case CURL_SSLVERSION_SSLv3:
|
case CURL_SSLVERSION_SSLv3:
|
||||||
return CURLE_NOT_BUILT_IN;
|
return CURLE_NOT_BUILT_IN;
|
||||||
|
Loading…
Reference in New Issue
Block a user