20010069 curl should disable SSLv3 by default s11u2-sru
authorRich Burridge <rich.burridge@oracle.com>
Mon, 17 Nov 2014 13:05:19 -0800
branchs11u2-sru
changeset 3468 d2ccd1e078a0
parent 3466 66a9fb22f0ef
child 3473 4b3ea06c5974
20010069 curl should disable SSLv3 by default
components/curl/patches/016-curl-disable-sslv3.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/curl/patches/016-curl-disable-sslv3.patch	Mon Nov 17 13:05:19 2014 -0800
@@ -0,0 +1,75 @@
+Remove SSLv3 from SSL default due to the POODLE attack.
+
+Based on the following curl changeset:
+
+commit ec783dc142129d3860e542b443caaa78a6172d56
+Author: Jay Satiro <[email protected]>
+Date:   Fri Oct 24 13:41:56 2014 +0200
+
+    - Remove SSLv3 from the SSL default effectively making the default TLS 1.x.
+    - Update curl_easy_setopt doc.
+
+--- ./docs/libcurl/curl_easy_setopt.3.orig	2014-11-11 12:03:20.659217117 -0800
++++ ./docs/libcurl/curl_easy_setopt.3	2014-11-11 12:06:57.274210401 -0800
[email protected]@ -1819,8 +1819,7 @@
+ .RS
+ .IP CURL_SSLVERSION_DEFAULT
+ The default action. This will attempt to figure out the remote SSL protocol
+-version, i.e. either SSLv3 or TLSv1 (but not SSLv2, which became disabled
+-by default with 7.18.1).
++version. SSLv2 and SSLv3 are disabled by default.
+ .IP CURL_SSLVERSION_TLSv1
+ Force TLSv1
+ .IP CURL_SSLVERSION_SSLv2
+--- ./lib/nss.c.orig	2014-11-11 12:08:37.152918397 -0800
++++ ./lib/nss.c	2014-11-11 12:11:02.819141917 -0800
[email protected]@ -1177,12 +1177,6 @@
+   switch (data->set.ssl.version) {
+   default:
+   case CURL_SSLVERSION_DEFAULT:
+-    ssl3 = PR_TRUE;
+-    if (data->state.ssl_connect_retry)
+-      infof(data, "TLS disabled due to previous handshake failure\n");
+-    else
+-      tlsv1 = PR_TRUE;
+-    break;
+   case CURL_SSLVERSION_TLSv1:
+     tlsv1 = PR_TRUE;
+     break;
+--- ./lib/qssl.c.orig	2014-11-11 12:08:44.037832982 -0800
++++ ./lib/qssl.c	2014-11-11 12:12:10.802950719 -0800
[email protected]@ -192,9 +192,6 @@
+ 
+   default:
+   case CURL_SSLVERSION_DEFAULT:
+-    h->protocol = SSL_VERSION_CURRENT;          /* TLSV1 compat. SSLV[23]. */
+-    break;
+-
+   case CURL_SSLVERSION_TLSv1:
+     h->protocol = TLS_VERSION_1;
+     break;
+--- ./lib/ssluse.c.orig	2014-11-11 12:08:52.156569428 -0800
++++ ./lib/ssluse.c	2014-11-11 12:21:38.593664424 -0800
[email protected]@ -1448,10 +1448,6 @@
+   switch(data->set.ssl.version) {
+   default:
+   case CURL_SSLVERSION_DEFAULT:
+-    /* we try to figure out version */
+-    req_method = SSLv23_client_method();
+-    use_sni(TRUE);
+-    break;
+   case CURL_SSLVERSION_TLSv1:
+     req_method = TLSv1_client_method();
+     use_sni(TRUE);
[email protected]@ -1531,9 +1527,9 @@
+ 
+   SSL_CTX_set_options(connssl->ctx, ctx_options);
+ 
+-  /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */
++  /* disable SSLv2 and SSLv3 in the default case (i.e. allow TLSv1) */
+   if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT)
+-    SSL_CTX_set_options(connssl->ctx, SSL_OP_NO_SSLv2);
++    SSL_CTX_set_options(connssl->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+ 
+ #if 0
+   /*