romenskiy2012/curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-04-15 03:51:41 +03:00
Code Issues Projects Releases Packages Wiki Activity

openssl: check CURL_SSLVERSION_MAX_DEFAULT properly

Browse source 
The definition of these constants does not give a numeric ordering
and MAX_DEFAULT needs to be checked in addition of ciphers and QUIC
checks to apply correctly.

Fixes #19340
Reported-by: Peter Piekarski
Closes #19341
This commit is contained in:
Stefan Eissing 2025-11-03 16:01:56 +01:00 committed by Daniel Stenberg
parent 7e91f24c73
commit cccc65f051
No known key found for this signature in database
GPG key ID: 5CC908FDB71E12C2
1 changed files with 2 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
lib/vtls/openssl.c
View file

@ -4050,6 +4050,7 @@ static CURLcode ossl_init_method(struct Curl_cfilter *cf,
case TRNSPRT_QUIC:
*pssl_version_min = CURL_SSLVERSION_TLSv1_3;
if(conn_config->version_max &&
(conn_config->version_max != CURL_SSLVERSION_MAX_DEFAULT) &&
(conn_config->version_max != CURL_SSLVERSION_MAX_TLSv1_3)) {
failf(data, "QUIC needs at least TLS version 1.3");
return CURLE_SSL_CONNECT_ERROR;
@ -4245,6 +4246,7 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx,
const char *ciphers13 = conn_config->cipher_list13;
if(ciphers13 &&
(!conn_config->version_max ||
(conn_config->version_max == CURL_SSLVERSION_MAX_DEFAULT) ||
(conn_config->version_max >= CURL_SSLVERSION_MAX_TLSv1_3))) {
if(!SSL_CTX_set_ciphersuites(octx->ssl_ctx, ciphers13)) {
failf(data, "failed setting TLS 1.3 cipher suite: %s", ciphers13);