From 85da9873f7c7c72e41e7392cd1479b51776d9dd5 Mon Sep 17 00:00:00 2001 From: John-Mark Bell Date: Sat, 5 Nov 2022 12:35:42 +0000 Subject: fetchers/curl: disable TLS1.0 and TLS1.1 support --- content/fetchers/curl.c | 16 ++++++---------- content/llcache.c | 2 +- 2 files changed, 7 insertions(+), 11 deletions(-) diff --git a/content/fetchers/curl.c b/content/fetchers/curl.c index 824b0b318..ab1d978c6 100644 --- a/content/fetchers/curl.c +++ b/content/fetchers/curl.c @@ -233,7 +233,7 @@ struct curl_fetch_info { bool abort; /**< Abort requested. */ bool stopped; /**< Download stopped on purpose. */ bool only_2xx; /**< Only HTTP 2xx responses acceptable. */ - bool downgrade_tls; /**< Downgrade to TLS <= 1.0 */ + bool downgrade_tls; /**< Downgrade to TLS 1.2 */ nsurl *url; /**< URL of this fetch. */ lwc_string *host; /**< The hostname of this fetch. */ struct curl_slist *headers; /**< List of request headers. */ @@ -813,7 +813,8 @@ fetch_curl_sslctxfun(CURL *curl_handle, void *_sslctx, void *parm) { struct curl_fetch_info *f = (struct curl_fetch_info *) parm; SSL_CTX *sslctx = _sslctx; - long options = SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; + long options = SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | + SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1; /* set verify callback for each certificate in chain */ SSL_CTX_set_verify(sslctx, SSL_VERIFY_PEER, fetch_curl_verify_callback); @@ -824,19 +825,14 @@ fetch_curl_sslctxfun(CURL *curl_handle, void *_sslctx, void *parm) parm); if (f->downgrade_tls) { - /* Disable TLS 1.1/1.2 if the server can't cope with them */ -#ifdef SSL_OP_NO_TLSv1_1 - options |= SSL_OP_NO_TLSv1_1; -#endif -#ifdef SSL_OP_NO_TLSv1_2 - options |= SSL_OP_NO_TLSv1_2; + /* Disable TLS 1.3 if the server can't cope with it */ +#ifdef SSL_OP_NO_TLSv1_3 + options |= SSL_OP_NO_TLSv1_3; #endif #ifdef SSL_MODE_SEND_FALLBACK_SCSV /* Ensure server rejects the connection if downgraded too far */ SSL_CTX_set_mode(sslctx, SSL_MODE_SEND_FALLBACK_SCSV); #endif - /* Disable TLS1.2 ciphersuites */ - SSL_CTX_set_cipher_list(sslctx, CIPHER_LIST ":-TLSv1.2"); } SSL_CTX_set_options(sslctx, options); diff --git a/content/llcache.c b/content/llcache.c index 7db59de0a..f86ae0d42 100644 --- a/content/llcache.c +++ b/content/llcache.c @@ -116,7 +116,7 @@ typedef struct { bool tried_with_auth; /**< Whether we've tried with auth */ - bool tried_with_tls_downgrade; /**< Whether we've tried TLS <= 1.0 */ + bool tried_with_tls_downgrade; /**< Whether we've tried TLS 1.2 */ bool tainted_tls; /**< Whether the TLS transport is tainted */ } llcache_fetch_ctx; -- cgit v1.2.1