1 Remove SSLv3 from SSL default due to the POODLE attack.

     2 

     3 Based on the following curl changeset:

     4 

     5 commit ec783dc142129d3860e542b443caaa78a6172d56

     6 Author: Jay Satiro <[email protected]>

     7 Date:   Fri Oct 24 13:41:56 2014 +0200

     8 

     9     - Remove SSLv3 from the SSL default effectively making the default TLS 1.x.

    10     - Update curl_easy_setopt doc.

    11 

    12 --- ./docs/libcurl/curl_easy_setopt.3.orig	2014-11-11 12:03:20.659217117 -0800

    13 +++ ./docs/libcurl/curl_easy_setopt.3	2014-11-11 12:06:57.274210401 -0800

    14 @@ -1819,8 +1819,7 @@

    15  .RS

    16  .IP CURL_SSLVERSION_DEFAULT

    17  The default action. This will attempt to figure out the remote SSL protocol

    18 -version, i.e. either SSLv3 or TLSv1 (but not SSLv2, which became disabled

    19 -by default with 7.18.1).

    20 +version. SSLv2 and SSLv3 are disabled by default.

    21  .IP CURL_SSLVERSION_TLSv1

    22  Force TLSv1

    23  .IP CURL_SSLVERSION_SSLv2

    24 --- ./lib/nss.c.orig	2014-11-11 12:08:37.152918397 -0800

    25 +++ ./lib/nss.c	2014-11-11 12:11:02.819141917 -0800

    26 @@ -1177,12 +1177,6 @@

    27    switch (data->set.ssl.version) {

    28    default:

    29    case CURL_SSLVERSION_DEFAULT:

    30 -    ssl3 = PR_TRUE;

    31 -    if (data->state.ssl_connect_retry)

    32 -      infof(data, "TLS disabled due to previous handshake failure\n");

    33 -    else

    34 -      tlsv1 = PR_TRUE;

    35 -    break;

    36    case CURL_SSLVERSION_TLSv1:

    37      tlsv1 = PR_TRUE;

    38      break;

    39 --- ./lib/qssl.c.orig	2014-11-11 12:08:44.037832982 -0800

    40 +++ ./lib/qssl.c	2014-11-11 12:12:10.802950719 -0800

    41 @@ -192,9 +192,6 @@

    42  

    43    default:

    44    case CURL_SSLVERSION_DEFAULT:

    45 -    h->protocol = SSL_VERSION_CURRENT;          /* TLSV1 compat. SSLV[23]. */

    46 -    break;

    47 -

    48    case CURL_SSLVERSION_TLSv1:

    49      h->protocol = TLS_VERSION_1;

    50      break;

    51 --- ./lib/ssluse.c.orig	2014-11-11 12:08:52.156569428 -0800

    52 +++ ./lib/ssluse.c	2014-11-11 12:21:38.593664424 -0800

    53 @@ -1448,10 +1448,6 @@

    54    switch(data->set.ssl.version) {

    55    default:

    56    case CURL_SSLVERSION_DEFAULT:

    57 -    /* we try to figure out version */

    58 -    req_method = SSLv23_client_method();

    59 -    use_sni(TRUE);

    60 -    break;

    61    case CURL_SSLVERSION_TLSv1:

    62      req_method = TLSv1_client_method();

    63      use_sni(TRUE);

    64 @@ -1531,9 +1527,9 @@

    65  

    66    SSL_CTX_set_options(connssl->ctx, ctx_options);

    67  

    68 -  /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */

    69 +  /* disable SSLv2 and SSLv3 in the default case (i.e. allow TLSv1) */

    70    if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT)

    71 -    SSL_CTX_set_options(connssl->ctx, SSL_OP_NO_SSLv2);

    72 +    SSL_CTX_set_options(connssl->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);

    73  

    74  #if 0

    75    /*