diff options
author | John-Mark Bell <jmb@netsurf-browser.org> | 2014-10-15 12:02:25 +0100 |
---|---|---|
committer | John-Mark Bell <jmb@netsurf-browser.org> | 2014-10-15 12:02:25 +0100 |
commit | b2242c57e17fa71734c60aa9872970f4477a4bd5 (patch) | |
tree | 7807a06505c2beb5402b4de409a3bb749c6555b9 /content/fetchers/curl.c | |
parent | 11faa1cef86c155c6fed28e3d6b51a77239d464c (diff) | |
download | netsurf-b2242c57e17fa71734c60aa9872970f4477a4bd5.tar.gz netsurf-b2242c57e17fa71734c60aa9872970f4477a4bd5.tar.bz2 |
HTTPS: disable all SSL versions; emit fallback SCSV on downgrade.
This removes all support for SSL and (with help from servers that
support the fallback SCSV) protects against inappropriate protocol
downgrade.
Diffstat (limited to 'content/fetchers/curl.c')
-rw-r--r-- | content/fetchers/curl.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/content/fetchers/curl.c b/content/fetchers/curl.c index 4bd72a20e..b3a4b9f38 100644 --- a/content/fetchers/curl.c +++ b/content/fetchers/curl.c @@ -693,7 +693,7 @@ fetch_curl_sslctxfun(CURL *curl_handle, void *_sslctx, void *parm) { struct curl_fetch_info *f = (struct curl_fetch_info *) parm; SSL_CTX *sslctx = _sslctx; - long options = SSL_OP_ALL; + long options = SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; SSL_CTX_set_verify(sslctx, SSL_VERIFY_PEER, fetch_curl_verify_callback); SSL_CTX_set_cert_verify_callback(sslctx, fetch_curl_cert_verify_callback, @@ -707,6 +707,10 @@ fetch_curl_sslctxfun(CURL *curl_handle, void *_sslctx, void *parm) #ifdef SSL_OP_NO_TLSv1_2 options |= SSL_OP_NO_TLSv1_2; #endif +#ifdef SSL_MODE_SEND_FALLBACK_SCSV + /* Ensure server rejects the connection if downgraded too far */ + SSL_CTX_set_mode(sslctx, SSL_MODE_SEND_FALLBACK_SCSV); +#endif } SSL_CTX_set_options(sslctx, options); |