Forcing TLS version allows to bypass the OpenSSL OS default #4304
Conversation
And indent preprocessor instructions
|
I also would suggest to replace the implementation of |
OpenSSL 1.1.0 adds SSL_CTX_set_<min|max>_proto_version() that we now use when available. Existing code is preserved for older versions of OpenSSL.
|
Regarding #4097:
# curl -v --tlsv1.0 --tls-max 1.0 https://www.cloudflare.com/robots.txt
[...]
curl: (35) error:141E70BF:SSL routines:tls_construct_client_hello:no protocols available
# curl -V
curl 7.65.3 (x86_64-pc-linux-gnu) libcurl/7.65.3 OpenSSL/1.1.1c zlib/1.2.11 libidn2/2.2.0 libpsl/0.20.2 (+libidn2/2.0.5) libssh2/1.8.0 nghttp2/1.39.2 librtmp/2.3
Release-Date: 2019-07-19
[...]
# ./src/curl -v --tlsv1.0 --tls-max 1.0 https://www.cloudflare.com/robots.txt 2>&1 | grep -i "SSL connection\|User-Agent"
* SSL connection using TLSv1.0 / ECDHE-RSA-AES128-SHA
> User-Agent: curl/7.66.0-DEV
User-agent: *
# LD_LIBRARY_PATH=/root/tools/openssl/output/lib ./src/curl -V
curl 7.66.0-DEV (x86_64-pc-linux-gnu) libcurl/7.66.0-DEV OpenSSL/1.0.2t zlib/1.2.11 libidn2/2.2.0
Release-Date: [unreleased]
[...]With TLSv1.2 as the system default: # tail -n3 /etc/ssl/openssl.cnf
[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=2 |
|
And with an older (<1.1.0) version of OpenSSL which doesn't have # LD_LIBRARY_PATH=/root/tools/openssl/output/lib ./src/curl -V
curl 7.66.0-DEV (x86_64-pc-linux-gnu) libcurl/7.66.0-DEV OpenSSL/1.0.2t zlib/1.2.11 libidn2/2.2.0
[...]
# LD_LIBRARY_PATH=/root/tools/openssl/output/lib ./src/curl -v --tlsv1.0 --tls-max 1.0 https://www.cloudflare.com/robots.txt 2>&1 | grep -i "SSL connection\|User-Agent"
* SSL connection using TLSv1.0 / ECDHE-RSA-AES128-SHA
> User-Agent: curl/7.66.0-DEV
User-agent: *
# LD_LIBRARY_PATH=/root/tools/openssl/output/lib ./src/curl -v --tlsv1.0 https://www.cloudflare.com/robots.txt 2>&1 | grep -i "openssl\|SSL connection\|User-Agent"
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
> User-Agent: curl/7.66.0-DEV
User-agent: * |
|
Well looks like the build is failing... I see why in some cases, and I'll address it, but I'm not sure that this PR is responsible of all errors (some I don't even see where the error is) |
|
The ngtcp2 build failure is totally not your fault. The libressl build failure looks like it needs a better preprocessor check for when the API exists. |
|
Thanks! I'll add a #ifdef around the whole function to prevent the "unused function" warning |
|
Thanks a lot! I squashed them into two commits before merge (primarily because I wanted to do some minor edits and couldn't really figure out to which commit!). |
|
You're welcome, thanks for your quick feedback and your overall work on cURL! |
Fixes #4298
I changed a few stuffs but I tried to group every block in a single commit.
This is my first attempt to contribute to cURL, and I'm not a regular C developer, so I don't mind (and even expect) a thorough review :)
Here are a few tests:
And the fix of the original issue, with a server that only accepts TLS1.0 while the OpenSSL default on my system is TLS1.2: