Mercurial Mercurial > upstream > oracle > userland-gate / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/curl/patches/016-curl-disable-sslv3.patch
author Rich Burridge <rich.burridge@oracle.com>
Fri, 14 Nov 2014 05:49:51 -0800
branchs11-update
changeset 3467 de2c1a2b2040
permissions -rw-r--r--
20010069 curl should disable SSLv3 by default

Remove SSLv3 from SSL default due to the POODLE attack.

Based on the following curl changeset:

commit ec783dc142129d3860e542b443caaa78a6172d56
Author: Jay Satiro <[email protected]>
Date:   Fri Oct 24 13:41:56 2014 +0200

    - Remove SSLv3 from the SSL default effectively making the default TLS 1.x.
    - Update curl_easy_setopt doc.

--- ./docs/libcurl/curl_easy_setopt.3.orig	2014-11-11 12:03:20.659217117 -0800
+++ ./docs/libcurl/curl_easy_setopt.3	2014-11-11 12:06:57.274210401 -0800
@@ -1819,8 +1819,7 @@
 .RS
 .IP CURL_SSLVERSION_DEFAULT
 The default action. This will attempt to figure out the remote SSL protocol
-version, i.e. either SSLv3 or TLSv1 (but not SSLv2, which became disabled
-by default with 7.18.1).
+version. SSLv2 and SSLv3 are disabled by default.
 .IP CURL_SSLVERSION_TLSv1
 Force TLSv1
 .IP CURL_SSLVERSION_SSLv2
--- ./lib/nss.c.orig	2014-11-11 12:08:37.152918397 -0800
+++ ./lib/nss.c	2014-11-11 12:11:02.819141917 -0800
@@ -1177,12 +1177,6 @@
   switch (data->set.ssl.version) {
   default:
   case CURL_SSLVERSION_DEFAULT:
-    ssl3 = PR_TRUE;
-    if (data->state.ssl_connect_retry)
-      infof(data, "TLS disabled due to previous handshake failure\n");
-    else
-      tlsv1 = PR_TRUE;
-    break;
   case CURL_SSLVERSION_TLSv1:
     tlsv1 = PR_TRUE;
     break;
--- ./lib/qssl.c.orig	2014-11-11 12:08:44.037832982 -0800
+++ ./lib/qssl.c	2014-11-11 12:12:10.802950719 -0800
@@ -192,9 +192,6 @@
 
   default:
   case CURL_SSLVERSION_DEFAULT:
-    h->protocol = SSL_VERSION_CURRENT;          /* TLSV1 compat. SSLV[23]. */
-    break;
-
   case CURL_SSLVERSION_TLSv1:
     h->protocol = TLS_VERSION_1;
     break;
--- ./lib/ssluse.c.orig	2014-11-11 12:08:52.156569428 -0800
+++ ./lib/ssluse.c	2014-11-11 12:21:38.593664424 -0800
@@ -1448,10 +1448,6 @@
   switch(data->set.ssl.version) {
   default:
   case CURL_SSLVERSION_DEFAULT:
-    /* we try to figure out version */
-    req_method = SSLv23_client_method();
-    use_sni(TRUE);
-    break;
   case CURL_SSLVERSION_TLSv1:
     req_method = TLSv1_client_method();
     use_sni(TRUE);
@@ -1531,9 +1527,9 @@
 
   SSL_CTX_set_options(connssl->ctx, ctx_options);
 
-  /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */
+  /* disable SSLv2 and SSLv3 in the default case (i.e. allow TLSv1) */
   if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT)
-    SSL_CTX_set_options(connssl->ctx, SSL_OP_NO_SSLv2);
+    SSL_CTX_set_options(connssl->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
 
 #if 0
   /*
upstream/oracle/userland-gate