vtls: support TLS 1.3 via CURL_SSLVERSION_TLSv1_3

Fully implemented with the NSS backend only for now.

Reviewed-by: Ray Satiro
This commit is contained in:
Kamil Dudka 2016-10-27 14:57:11 +02:00
parent 5d45ced7a4
commit 6ad3add606
11 changed files with 39 additions and 0 deletions

View File

@ -9,6 +9,7 @@ Curl and libcurl 7.51.1
This release includes the following changes: This release includes the following changes:
o nss: map CURL_SSLVERSION_DEFAULT to NSS default o nss: map CURL_SSLVERSION_DEFAULT to NSS default
o vtls: support TLS 1.3 via CURL_SSLVERSION_TLSv1_3
o o
This release includes the following bugfixes: This release includes the following bugfixes:

View File

@ -48,6 +48,8 @@ TLSv1.0 (Added in 7.34.0)
TLSv1.1 (Added in 7.34.0) TLSv1.1 (Added in 7.34.0)
.IP CURL_SSLVERSION_TLSv1_2 .IP CURL_SSLVERSION_TLSv1_2
TLSv1.2 (Added in 7.34.0) TLSv1.2 (Added in 7.34.0)
.IP CURL_SSLVERSION_TLSv1_3
TLSv1.3 (Added in 7.51.1)
.RE .RE
.SH DEFAULT .SH DEFAULT
CURL_SSLVERSION_DEFAULT CURL_SSLVERSION_DEFAULT

View File

@ -773,6 +773,7 @@ CURL_SSLVERSION_TLSv1 7.9.2
CURL_SSLVERSION_TLSv1_0 7.34.0 CURL_SSLVERSION_TLSv1_0 7.34.0
CURL_SSLVERSION_TLSv1_1 7.34.0 CURL_SSLVERSION_TLSv1_1 7.34.0
CURL_SSLVERSION_TLSv1_2 7.34.0 CURL_SSLVERSION_TLSv1_2 7.34.0
CURL_SSLVERSION_TLSv1_3 7.51.1
CURL_TIMECOND_IFMODSINCE 7.9.7 CURL_TIMECOND_IFMODSINCE 7.9.7
CURL_TIMECOND_IFUNMODSINCE 7.9.7 CURL_TIMECOND_IFUNMODSINCE 7.9.7
CURL_TIMECOND_LASTMOD 7.9.7 CURL_TIMECOND_LASTMOD 7.9.7

View File

@ -1805,6 +1805,7 @@ enum {
CURL_SSLVERSION_TLSv1_0, CURL_SSLVERSION_TLSv1_0,
CURL_SSLVERSION_TLSv1_1, CURL_SSLVERSION_TLSv1_1,
CURL_SSLVERSION_TLSv1_2, CURL_SSLVERSION_TLSv1_2,
CURL_SSLVERSION_TLSv1_3,
CURL_SSLVERSION_LAST /* never use, keep last */ CURL_SSLVERSION_LAST /* never use, keep last */
}; };

View File

@ -1071,6 +1071,9 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
(void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol12); (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol12);
(void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol12); (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol12);
break; break;
case CURL_SSLVERSION_TLSv1_3:
failf(data, "TLSv1.3 is not yet supported with this TLS backend");
return CURLE_SSL_CONNECT_ERROR;
case CURL_SSLVERSION_SSLv3: case CURL_SSLVERSION_SSLv3:
err = SSLSetProtocolVersionMin(connssl->ssl_ctx, kSSLProtocol3); err = SSLSetProtocolVersionMin(connssl->ssl_ctx, kSSLProtocol3);
if(err != noErr) { if(err != noErr) {
@ -1122,6 +1125,9 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
kTLSProtocol12, kTLSProtocol12,
true); true);
break; break;
case CURL_SSLVERSION_TLSv1_3:
failf(data, "TLSv1.3 is not yet supported with this TLS backend");
return CURLE_SSL_CONNECT_ERROR;
case CURL_SSLVERSION_SSLv3: case CURL_SSLVERSION_SSLv3:
err = SSLSetProtocolVersionEnabled(connssl->ssl_ctx, err = SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
kSSLProtocol3, kSSLProtocol3,
@ -1160,6 +1166,9 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
case CURL_SSLVERSION_TLSv1_2: case CURL_SSLVERSION_TLSv1_2:
failf(data, "Your version of the OS does not support TLSv1.2"); failf(data, "Your version of the OS does not support TLSv1.2");
return CURLE_SSL_CONNECT_ERROR; return CURLE_SSL_CONNECT_ERROR;
case CURL_SSLVERSION_TLSv1_3:
failf(data, "Your version of the OS does not support TLSv1.3");
return CURLE_SSL_CONNECT_ERROR;
case CURL_SSLVERSION_SSLv2: case CURL_SSLVERSION_SSLv2:
err = SSLSetProtocolVersionEnabled(connssl->ssl_ctx, err = SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
kSSLProtocol2, kSSLProtocol2,

View File

@ -639,6 +639,9 @@ static CURLcode gskit_connect_step1(struct connectdata *conn, int sockindex)
case CURL_SSLVERSION_TLSv1_2: case CURL_SSLVERSION_TLSv1_2:
protoflags = CURL_GSKPROTO_TLSV12_MASK; protoflags = CURL_GSKPROTO_TLSV12_MASK;
break; break;
case CURL_SSLVERSION_TLSv1_3:
failf(data, "TLS 1.3 not yet supported");
return CURLE_SSL_CIPHER;
} }
/* Process SNI. Ignore if not supported (on OS400 < V7R1). */ /* Process SNI. Ignore if not supported (on OS400 < V7R1). */

View File

@ -569,6 +569,9 @@ gtls_connect_step1(struct connectdata *conn,
break; break;
case CURL_SSLVERSION_TLSv1_2: case CURL_SSLVERSION_TLSv1_2:
protocol_priority[0] = GNUTLS_TLS1_2; protocol_priority[0] = GNUTLS_TLS1_2;
case CURL_SSLVERSION_TLSv1_3:
failf(data, "GnuTLS does not support TLSv1.3");
return CURLE_SSL_CONNECT_ERROR;
break; break;
case CURL_SSLVERSION_SSLv2: case CURL_SSLVERSION_SSLv2:
default: default:
@ -607,6 +610,9 @@ gtls_connect_step1(struct connectdata *conn,
prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:" prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
"+VERS-TLS1.2:" GNUTLS_SRP; "+VERS-TLS1.2:" GNUTLS_SRP;
break; break;
case CURL_SSLVERSION_TLSv1_3:
failf(data, "GnuTLS does not support TLSv1.3");
return CURLE_SSL_CONNECT_ERROR;
case CURL_SSLVERSION_SSLv2: case CURL_SSLVERSION_SSLv2:
default: default:
failf(data, "GnuTLS does not support SSLv2"); failf(data, "GnuTLS does not support SSLv2");

View File

@ -1541,6 +1541,14 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
#endif #endif
break; break;
case CURL_SSLVERSION_TLSv1_3:
#ifdef SSL_LIBRARY_VERSION_TLS_1_3
sslver->min = SSL_LIBRARY_VERSION_TLS_1_3;
sslver->max = SSL_LIBRARY_VERSION_TLS_1_3;
return CURLE_OK;
#endif
break;
default: default:
/* unsupported SSL/TLS version */ /* unsupported SSL/TLS version */
break; break;

View File

@ -306,6 +306,9 @@ polarssl_connect_step1(struct connectdata *conn,
SSL_MINOR_VERSION_3); SSL_MINOR_VERSION_3);
infof(data, "PolarSSL: Forced min. SSL Version to be TLS 1.2\n"); infof(data, "PolarSSL: Forced min. SSL Version to be TLS 1.2\n");
break; break;
case CURL_SSLVERSION_TLSv1_3:
failf(data, "PolarSSL: TLS 1.3 is not yet supported");
return CURLE_SSL_CONNECT_ERROR;
} }
ssl_set_endpoint(&connssl->ssl, SSL_IS_CLIENT); ssl_set_endpoint(&connssl->ssl, SSL_IS_CLIENT);

View File

@ -213,6 +213,9 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
case CURL_SSLVERSION_TLSv1_2: case CURL_SSLVERSION_TLSv1_2:
schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_2_CLIENT; schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_2_CLIENT;
break; break;
case CURL_SSLVERSION_TLSv1_3:
failf(data, "schannel: TLS 1.3 is not yet supported");
return CURLE_SSL_CONNECT_ERROR;
case CURL_SSLVERSION_SSLv3: case CURL_SSLVERSION_SSLv3:
schannel_cred.grbitEnabledProtocols = SP_PROT_SSL3_CLIENT; schannel_cred.grbitEnabledProtocols = SP_PROT_SSL3_CLIENT;
break; break;

View File

@ -258,6 +258,8 @@
d c 5 d c 5
d CURL_SSLVERSION_TLSv1_2... d CURL_SSLVERSION_TLSv1_2...
d c 6 d c 6
d CURL_SSLVERSION_TLSv1_3...
d c 7
* *
d CURL_TLSAUTH_NONE... d CURL_TLSAUTH_NONE...
d c 0 d c 0