curl/docs/libcurl/opts/CURLOPT_SSLVERSION.3
Daniel Stenberg eff614fb02
vtls: refuse setting any SSL version
... previously they were supported if a TLS library would (unexpectedly)
still support them, but from this change they will be refused already in
curl_easy_setopt(). SSLv2 and SSLv3 have been known to be insecure for
many years now.

Closes #6773
2021-04-19 08:16:02 +02:00

116 lines
4.3 KiB
Groff

.\" **************************************************************************
.\" * _ _ ____ _
.\" * Project ___| | | | _ \| |
.\" * / __| | | | |_) | |
.\" * | (__| |_| | _ <| |___
.\" * \___|\___/|_| \_\_____|
.\" *
.\" * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
.\" *
.\" * This software is licensed as described in the file COPYING, which
.\" * you should have received as part of this distribution. The terms
.\" * are also available at https://curl.se/docs/copyright.html.
.\" *
.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
.\" * copies of the Software, and permit persons to whom the Software is
.\" * furnished to do so, under the terms of the COPYING file.
.\" *
.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
.\" * KIND, either express or implied.
.\" *
.\" **************************************************************************
.\"
.TH CURLOPT_SSLVERSION 3 "17 Jun 2014" "libcurl 7.37.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_SSLVERSION \- set preferred TLS/SSL version
.SH SYNOPSIS
#include <curl/curl.h>
CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSLVERSION, long version);
.SH DESCRIPTION
Pass a long as parameter to control which version range of SSL/TLS versions to
use.
The SSL and TLS versions have typically developed from the most insecure
version to be more and more secure in this order through history: SSL v2,
SSLv3, TLS v1.0, TLS v1.1, TLS v1.2 and the most recent TLS v1.3.
Use one of the available defines for this purpose. The available options are:
.RS
.IP CURL_SSLVERSION_DEFAULT
The default acceptable version range. The minimum acceptable version is by
default TLS v1.0 since 7.39.0 (unless the TLS library has a stricter rule).
.IP CURL_SSLVERSION_TLSv1
TLS v1.0 or later
.IP CURL_SSLVERSION_SSLv2
SSL v2 - refused
.IP CURL_SSLVERSION_SSLv3
SSL v3 - refused
.IP CURL_SSLVERSION_TLSv1_0
TLS v1.0 or later (Added in 7.34.0)
.IP CURL_SSLVERSION_TLSv1_1
TLS v1.1 or later (Added in 7.34.0)
.IP CURL_SSLVERSION_TLSv1_2
TLS v1.2 or later (Added in 7.34.0)
.IP CURL_SSLVERSION_TLSv1_3
TLS v1.3 or later (Added in 7.52.0)
.RE
The maximum TLS version can be set by using \fIone\fP of the
CURL_SSLVERSION_MAX_ macros below. It is also possible to OR \fIone\fP of the
CURL_SSLVERSION_ macros with \fIone\fP of the CURL_SSLVERSION_MAX_ macros.
The MAX macros are not supported for WolfSSL.
.RS
.IP CURL_SSLVERSION_MAX_DEFAULT
The flag defines the maximum supported TLS version by libcurl, or the default
value from the SSL library is used. libcurl will use a sensible default
maximum, which was TLS v1.2 up to before 7.61.0 and is TLS v1.3 since then -
assuming the TLS library support it. (Added in 7.54.0)
.IP CURL_SSLVERSION_MAX_TLSv1_0
The flag defines maximum supported TLS version as TLS v1.0.
(Added in 7.54.0)
.IP CURL_SSLVERSION_MAX_TLSv1_1
The flag defines maximum supported TLS version as TLS v1.1.
(Added in 7.54.0)
.IP CURL_SSLVERSION_MAX_TLSv1_2
The flag defines maximum supported TLS version as TLS v1.2.
(Added in 7.54.0)
.IP CURL_SSLVERSION_MAX_TLSv1_3
The flag defines maximum supported TLS version as TLS v1.3.
(Added in 7.54.0)
.RE
In versions of curl prior to 7.54 the CURL_SSLVERSION_TLS options were
documented to allow \fIonly\fP the specified TLS version, but behavior was
inconsistent depending on the TLS library.
.SH DEFAULT
CURL_SSLVERSION_DEFAULT
.SH PROTOCOLS
All TLS based protocols: HTTPS, FTPS, IMAPS, POP3S, SMTPS etc.
.SH EXAMPLE
.nf
CURL *curl = curl_easy_init();
if(curl) {
curl_easy_setopt(curl, CURLOPT_URL, "https://example.com");
/* ask libcurl to use TLS version 1.0 or later */
curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
/* Perform the request */
curl_easy_perform(curl);
}
.fi
.SH AVAILABILITY
SSLv2 and SSLv3 are refused completely since curl 7.77.0
SSLv2 is disabled by default since 7.18.1. Other SSL versions availability may
vary depending on which backend libcurl has been built to use.
SSLv3 is disabled by default since 7.39.0.
.SH RETURN VALUE
Returns CURLE_OK if the option is supported, and CURLE_UNKNOWN_OPTION if not.
.SH "SEE ALSO"
.BR CURLOPT_USE_SSL "(3), " CURLOPT_HTTP_VERSION "(3), "
.BR CURLOPT_PROXY_SSLVERSION "(3), " CURLOPT_IPRESOLVE "(3) "