Resolves: #1396719 - map CURL_SSLVERSION_DEFAULT to NSS default, add support for TLS 1.3
This commit is contained in:
parent
40b1d9916f
commit
c38149da81
285
0003-curl-7.51.0-tls-version.patch
Normal file
285
0003-curl-7.51.0-tls-version.patch
Normal file
@ -0,0 +1,285 @@
|
||||
From 53782619bae773a4034bc53b3b0bd858f90190dc Mon Sep 17 00:00:00 2001
|
||||
From: Kamil Dudka <kdudka@redhat.com>
|
||||
Date: Thu, 27 Oct 2016 14:27:25 +0200
|
||||
Subject: [PATCH 1/4] nss: map CURL_SSLVERSION_DEFAULT to NSS default
|
||||
|
||||
... but make sure we use at least TLSv1.0 according to libcurl API
|
||||
|
||||
Reported-by: Cure53
|
||||
Reviewed-by: Ray Satiro
|
||||
|
||||
Upstream-commit: 5d45ced7a45ea38e32f1cbf73d7c63a3e4f241e7
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/vtls/nss.c | 14 +++++++++++++-
|
||||
1 file changed, 13 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
|
||||
index dff1575..5abb574 100644
|
||||
--- a/lib/vtls/nss.c
|
||||
+++ b/lib/vtls/nss.c
|
||||
@@ -1489,10 +1489,18 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
|
||||
struct Curl_easy *data)
|
||||
{
|
||||
switch(data->set.ssl.version) {
|
||||
- default:
|
||||
case CURL_SSLVERSION_DEFAULT:
|
||||
+ /* map CURL_SSLVERSION_DEFAULT to NSS default */
|
||||
+ if(SSL_VersionRangeGetDefault(ssl_variant_stream, sslver) != SECSuccess)
|
||||
+ return CURLE_SSL_CONNECT_ERROR;
|
||||
+ /* ... but make sure we use at least TLSv1.0 according to libcurl API */
|
||||
+ if(sslver->min < SSL_LIBRARY_VERSION_TLS_1_0)
|
||||
+ sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
|
||||
+ return CURLE_OK;
|
||||
+
|
||||
case CURL_SSLVERSION_TLSv1:
|
||||
sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
|
||||
+ /* TODO: set sslver->max to SSL_LIBRARY_VERSION_TLS_1_3 once stable */
|
||||
#ifdef SSL_LIBRARY_VERSION_TLS_1_2
|
||||
sslver->max = SSL_LIBRARY_VERSION_TLS_1_2;
|
||||
#elif defined SSL_LIBRARY_VERSION_TLS_1_1
|
||||
@@ -1532,6 +1540,10 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
|
||||
return CURLE_OK;
|
||||
#endif
|
||||
break;
|
||||
+
|
||||
+ default:
|
||||
+ /* unsupported SSL/TLS version */
|
||||
+ break;
|
||||
}
|
||||
|
||||
failf(data, "TLS minor version cannot be set");
|
||||
--
|
||||
2.7.4
|
||||
|
||||
|
||||
From 6a42abb03de6e5afe859313b236f2b776ca51722 Mon Sep 17 00:00:00 2001
|
||||
From: Kamil Dudka <kdudka@redhat.com>
|
||||
Date: Thu, 27 Oct 2016 14:57:11 +0200
|
||||
Subject: [PATCH 2/4] vtls: support TLS 1.3 via CURL_SSLVERSION_TLSv1_3
|
||||
|
||||
Fully implemented with the NSS backend only for now.
|
||||
|
||||
Reviewed-by: Ray Satiro
|
||||
|
||||
Upstream-commit: 6ad3add60654182a747f5971afb40817488ef0e8
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
docs/libcurl/opts/CURLOPT_SSLVERSION.3 | 2 ++
|
||||
docs/libcurl/symbols-in-versions | 1 +
|
||||
include/curl/curl.h | 1 +
|
||||
lib/vtls/nss.c | 8 ++++++++
|
||||
4 files changed, 12 insertions(+)
|
||||
|
||||
diff --git a/docs/libcurl/opts/CURLOPT_SSLVERSION.3 b/docs/libcurl/opts/CURLOPT_SSLVERSION.3
|
||||
index 2f40e46..1854af0 100644
|
||||
--- a/docs/libcurl/opts/CURLOPT_SSLVERSION.3
|
||||
+++ b/docs/libcurl/opts/CURLOPT_SSLVERSION.3
|
||||
@@ -48,6 +48,8 @@ TLSv1.0 (Added in 7.34.0)
|
||||
TLSv1.1 (Added in 7.34.0)
|
||||
.IP CURL_SSLVERSION_TLSv1_2
|
||||
TLSv1.2 (Added in 7.34.0)
|
||||
+.IP CURL_SSLVERSION_TLSv1_3
|
||||
+TLSv1.3 (Added in 7.51.1)
|
||||
.RE
|
||||
.SH DEFAULT
|
||||
CURL_SSLVERSION_DEFAULT
|
||||
diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
|
||||
index f6365ae..a77fde4 100644
|
||||
--- a/docs/libcurl/symbols-in-versions
|
||||
+++ b/docs/libcurl/symbols-in-versions
|
||||
@@ -773,6 +773,7 @@ CURL_SSLVERSION_TLSv1 7.9.2
|
||||
CURL_SSLVERSION_TLSv1_0 7.34.0
|
||||
CURL_SSLVERSION_TLSv1_1 7.34.0
|
||||
CURL_SSLVERSION_TLSv1_2 7.34.0
|
||||
+CURL_SSLVERSION_TLSv1_3 7.51.1
|
||||
CURL_TIMECOND_IFMODSINCE 7.9.7
|
||||
CURL_TIMECOND_IFUNMODSINCE 7.9.7
|
||||
CURL_TIMECOND_LASTMOD 7.9.7
|
||||
diff --git a/include/curl/curl.h b/include/curl/curl.h
|
||||
index 9c09cb9..03fcfeb 100644
|
||||
--- a/include/curl/curl.h
|
||||
+++ b/include/curl/curl.h
|
||||
@@ -1805,6 +1805,7 @@ enum {
|
||||
CURL_SSLVERSION_TLSv1_0,
|
||||
CURL_SSLVERSION_TLSv1_1,
|
||||
CURL_SSLVERSION_TLSv1_2,
|
||||
+ CURL_SSLVERSION_TLSv1_3,
|
||||
|
||||
CURL_SSLVERSION_LAST /* never use, keep last */
|
||||
};
|
||||
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
|
||||
index 5abb574..5e52727 100644
|
||||
--- a/lib/vtls/nss.c
|
||||
+++ b/lib/vtls/nss.c
|
||||
@@ -1541,6 +1541,14 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
|
||||
#endif
|
||||
break;
|
||||
|
||||
+ case CURL_SSLVERSION_TLSv1_3:
|
||||
+#ifdef SSL_LIBRARY_VERSION_TLS_1_3
|
||||
+ sslver->min = SSL_LIBRARY_VERSION_TLS_1_3;
|
||||
+ sslver->max = SSL_LIBRARY_VERSION_TLS_1_3;
|
||||
+ return CURLE_OK;
|
||||
+#endif
|
||||
+ break;
|
||||
+
|
||||
default:
|
||||
/* unsupported SSL/TLS version */
|
||||
break;
|
||||
--
|
||||
2.7.4
|
||||
|
||||
|
||||
From d930268ab522ac7ea7ccd83671d22f57148f3d21 Mon Sep 17 00:00:00 2001
|
||||
From: Kamil Dudka <kdudka@redhat.com>
|
||||
Date: Thu, 27 Oct 2016 14:58:43 +0200
|
||||
Subject: [PATCH 3/4] curl: introduce the --tlsv1.3 option to force TLS 1.3
|
||||
|
||||
Fully implemented with the NSS backend only for now.
|
||||
|
||||
Reviewed-by: Ray Satiro
|
||||
|
||||
Upstream-commit: a110a03b43057879643046538c79cc9dd20d399a
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
docs/curl.1 | 10 +++++++---
|
||||
src/tool_getparam.c | 5 +++++
|
||||
src/tool_help.c | 1 +
|
||||
src/tool_setopt.c | 1 +
|
||||
4 files changed, 14 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/docs/curl.1 b/docs/curl.1
|
||||
index f5375ed..e9c6150 100644
|
||||
--- a/docs/curl.1
|
||||
+++ b/docs/curl.1
|
||||
@@ -176,9 +176,9 @@ HTTP 2 to negotiate HTTP 2 support with the server during https sessions.
|
||||
.IP "-1, --tlsv1"
|
||||
(SSL)
|
||||
Forces curl to use TLS version 1.x when negotiating with a remote TLS server.
|
||||
-You can use options \fI--tlsv1.0\fP, \fI--tlsv1.1\fP, and \fI--tlsv1.2\fP to
|
||||
-control the TLS version more precisely (if the SSL backend in use supports such
|
||||
-a level of control).
|
||||
+You can use options \fI--tlsv1.0\fP, \fI--tlsv1.1\fP, \fI--tlsv1.2\fP, and
|
||||
+\fI--tlsv1.3\fP to control the TLS version more precisely (if the SSL backend
|
||||
+in use supports such a level of control).
|
||||
.IP "-2, --sslv2"
|
||||
(SSL) Forces curl to use SSL version 2 when negotiating with a remote SSL
|
||||
server. Sometimes curl is built without SSLv2 support. SSLv2 is widely
|
||||
@@ -1820,6 +1820,10 @@ Forces curl to use TLS version 1.1 when negotiating with a remote TLS server.
|
||||
(SSL)
|
||||
Forces curl to use TLS version 1.2 when negotiating with a remote TLS server.
|
||||
(Added in 7.34.0)
|
||||
+.IP "--tlsv1.3"
|
||||
+(SSL)
|
||||
+Forces curl to use TLS version 1.3 when negotiating with a remote TLS server.
|
||||
+(Added in 7.51.1)
|
||||
.IP "--tr-encoding"
|
||||
(HTTP) Request a compressed Transfer-Encoding response using one of the
|
||||
algorithms curl supports, and uncompress the data while receiving it.
|
||||
diff --git a/src/tool_getparam.c b/src/tool_getparam.c
|
||||
index 95dd455..2d16e06 100644
|
||||
--- a/src/tool_getparam.c
|
||||
+++ b/src/tool_getparam.c
|
||||
@@ -190,6 +190,7 @@ static const struct LongShort aliases[]= {
|
||||
{"10", "tlsv1.0", FALSE},
|
||||
{"11", "tlsv1.1", FALSE},
|
||||
{"12", "tlsv1.2", FALSE},
|
||||
+ {"13", "tlsv1.3", FALSE},
|
||||
{"2", "sslv2", FALSE},
|
||||
{"3", "sslv3", FALSE},
|
||||
{"4", "ipv4", FALSE},
|
||||
@@ -1061,6 +1062,10 @@ ParameterError getparameter(char *flag, /* f or -long-flag */
|
||||
/* TLS version 1.2 */
|
||||
config->ssl_version = CURL_SSLVERSION_TLSv1_2;
|
||||
break;
|
||||
+ case '3':
|
||||
+ /* TLS version 1.3 */
|
||||
+ config->ssl_version = CURL_SSLVERSION_TLSv1_3;
|
||||
+ break;
|
||||
}
|
||||
break;
|
||||
case '2':
|
||||
diff --git a/src/tool_help.c b/src/tool_help.c
|
||||
index fb428c9..9890cc8 100644
|
||||
--- a/src/tool_help.c
|
||||
+++ b/src/tool_help.c
|
||||
@@ -232,6 +232,7 @@ static const char *const helptext[] = {
|
||||
" --tlsv1.0 Use TLSv1.0 (SSL)",
|
||||
" --tlsv1.1 Use TLSv1.1 (SSL)",
|
||||
" --tlsv1.2 Use TLSv1.2 (SSL)",
|
||||
+ " --tlsv1.3 Use TLSv1.3 (SSL)",
|
||||
" --trace FILE Write a debug trace to FILE",
|
||||
" --trace-ascii FILE Like --trace, but without hex output",
|
||||
" --trace-time Add time stamps to trace/verbose output",
|
||||
diff --git a/src/tool_setopt.c b/src/tool_setopt.c
|
||||
index c854225..f3de09d 100644
|
||||
--- a/src/tool_setopt.c
|
||||
+++ b/src/tool_setopt.c
|
||||
@@ -83,6 +83,7 @@ const NameValue setopt_nv_CURL_SSLVERSION[] = {
|
||||
NV(CURL_SSLVERSION_TLSv1_0),
|
||||
NV(CURL_SSLVERSION_TLSv1_1),
|
||||
NV(CURL_SSLVERSION_TLSv1_2),
|
||||
+ NV(CURL_SSLVERSION_TLSv1_3),
|
||||
NVEND,
|
||||
};
|
||||
|
||||
--
|
||||
2.7.4
|
||||
|
||||
|
||||
From 2fce531638a12f44ea1fbc52e86ca795a3a4e4e2 Mon Sep 17 00:00:00 2001
|
||||
From: Kamil Dudka <kdudka@redhat.com>
|
||||
Date: Tue, 15 Nov 2016 12:21:00 +0100
|
||||
Subject: [PATCH 4/4] docs: the next release will be 7.52.0
|
||||
|
||||
Upstream-commit: cfd69c133984a5df3de63b4f8c5f64885c6e33ae
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
docs/curl.1 | 2 +-
|
||||
docs/libcurl/opts/CURLOPT_SSLVERSION.3 | 2 +-
|
||||
docs/libcurl/symbols-in-versions | 2 +-
|
||||
3 files changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/docs/curl.1 b/docs/curl.1
|
||||
index e9c6150..05d1a8d 100644
|
||||
--- a/docs/curl.1
|
||||
+++ b/docs/curl.1
|
||||
@@ -1823,7 +1823,7 @@ Forces curl to use TLS version 1.2 when negotiating with a remote TLS server.
|
||||
.IP "--tlsv1.3"
|
||||
(SSL)
|
||||
Forces curl to use TLS version 1.3 when negotiating with a remote TLS server.
|
||||
-(Added in 7.51.1)
|
||||
+(Added in 7.52.0)
|
||||
.IP "--tr-encoding"
|
||||
(HTTP) Request a compressed Transfer-Encoding response using one of the
|
||||
algorithms curl supports, and uncompress the data while receiving it.
|
||||
diff --git a/docs/libcurl/opts/CURLOPT_SSLVERSION.3 b/docs/libcurl/opts/CURLOPT_SSLVERSION.3
|
||||
index 1854af0..77dfcd4 100644
|
||||
--- a/docs/libcurl/opts/CURLOPT_SSLVERSION.3
|
||||
+++ b/docs/libcurl/opts/CURLOPT_SSLVERSION.3
|
||||
@@ -49,7 +49,7 @@ TLSv1.1 (Added in 7.34.0)
|
||||
.IP CURL_SSLVERSION_TLSv1_2
|
||||
TLSv1.2 (Added in 7.34.0)
|
||||
.IP CURL_SSLVERSION_TLSv1_3
|
||||
-TLSv1.3 (Added in 7.51.1)
|
||||
+TLSv1.3 (Added in 7.52.0)
|
||||
.RE
|
||||
.SH DEFAULT
|
||||
CURL_SSLVERSION_DEFAULT
|
||||
diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
|
||||
index a77fde4..ef730c8 100644
|
||||
--- a/docs/libcurl/symbols-in-versions
|
||||
+++ b/docs/libcurl/symbols-in-versions
|
||||
@@ -773,7 +773,7 @@ CURL_SSLVERSION_TLSv1 7.9.2
|
||||
CURL_SSLVERSION_TLSv1_0 7.34.0
|
||||
CURL_SSLVERSION_TLSv1_1 7.34.0
|
||||
CURL_SSLVERSION_TLSv1_2 7.34.0
|
||||
-CURL_SSLVERSION_TLSv1_3 7.51.1
|
||||
+CURL_SSLVERSION_TLSv1_3 7.52.0
|
||||
CURL_TIMECOND_IFMODSINCE 7.9.7
|
||||
CURL_TIMECOND_IFUNMODSINCE 7.9.7
|
||||
CURL_TIMECOND_LASTMOD 7.9.7
|
||||
--
|
||||
2.7.4
|
||||
|
@ -1,7 +1,7 @@
|
||||
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
||||
Name: curl
|
||||
Version: 7.51.0
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
License: MIT
|
||||
Group: Applications/Internet
|
||||
Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
|
||||
@ -12,6 +12,9 @@ Patch1: 0001-curl-7.51.0-ssh-md5.patch
|
||||
# stricter host name checking for file:// URLs
|
||||
Patch2: 0002-curl-7.51.0-file-host.patch
|
||||
|
||||
# map CURL_SSLVERSION_DEFAULT to NSS default, add support for TLS 1.3 (#1396719)
|
||||
Patch3: 0003-curl-7.51.0-tls-version.patch
|
||||
|
||||
# patch making libcurl multilib ready
|
||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||
|
||||
@ -130,6 +133,7 @@ documentation of the library, too.
|
||||
# upstream patches
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
|
||||
# Fedora patches
|
||||
%patch101 -p1
|
||||
@ -237,6 +241,9 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%{_datadir}/aclocal/libcurl.m4
|
||||
|
||||
%changelog
|
||||
* Mon Nov 21 2016 Kamil Dudka <kdudka@redhat.com> 7.51.0-3
|
||||
- map CURL_SSLVERSION_DEFAULT to NSS default, add support for TLS 1.3 (#1396719)
|
||||
|
||||
* Tue Nov 15 2016 Kamil Dudka <kdudka@redhat.com> 7.51.0-2
|
||||
- stricter host name checking for file:// URLs
|
||||
- ssh: check md5 fingerprints case insensitively
|
||||
|
Loading…
Reference in New Issue
Block a user