wip2

jan2000 · Aug 18, 2024 · d6a3476 · d6a3476
1 parent cb7dbb7
commit d6a3476
Show file tree

Hide file tree

Showing 5 changed files with 41 additions and 40 deletions.
diff --git a/lib/vtls/bearssl.c b/lib/vtls/bearssl.c
@@ -384,7 +384,7 @@ bearssl_set_ssl_version_min_max(struct Curl_easy *data,
     failf(data, "BearSSL: does not support TLS 1.3");
     return CURLE_SSL_CONNECT_ERROR;
   default:
-    failf(data, "BearSSL: unrecognized minimum TLS version value");
+    failf(data, "BearSSL: unsupported minimum TLS version value");
     return CURLE_SSL_CONNECT_ERROR;
   }
 
@@ -402,7 +402,7 @@ bearssl_set_ssl_version_min_max(struct Curl_easy *data,
     version_max = BR_TLS10;
     break;
   default:
-    failf(data, "BearSSL: unrecognized maximum TLS version value");
+    failf(data, "BearSSL: unsupported maximum TLS version value");
     return CURLE_SSL_CONNECT_ERROR;
   }
 
@@ -713,7 +713,9 @@ static CURLcode bearssl_run_until(struct Curl_cfilter *cf,
         failf(data, "SSL: X.509 verification: "
               "chain could not be linked to a trust anchor");
         return CURLE_PEER_FAILED_VERIFICATION;
+      default:;
       }
+      failf(data, "BearSSL: connection error 0x%04x", err);
       /* X.509 errors are documented to have the range 32..63 */
       if(err >= 32 && err < 64)
         return CURLE_PEER_FAILED_VERIFICATION;

diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
@@ -266,7 +266,8 @@ mbed_set_ssl_version_min_max(struct Curl_easy *data,
 {
   /* TLS 1.0 and TLS 1.1 were dropped with mbedTLS 3.0.0 (2021). So, since
    * then, and before the introduction of TLS 1.3 in 3.6.0 (2024), this
-   * function basically always sets TLS 1.2 as min/max. */
+   * function basically always sets TLS 1.2 as min/max, unless given
+   * unsupported option values. */
 
 #if MBEDTLS_VERSION_NUMBER < 0x03020000
   int ver_min = MBEDTLS_SSL_MINOR_VERSION_3; /* TLS 1.2 */
@@ -277,44 +278,31 @@ mbed_set_ssl_version_min_max(struct Curl_easy *data,
   mbedtls_ssl_protocol_version ver_max = MBEDTLS_SSL_VERSION_TLS1_2;
 #endif
 
-#if MBEDTLS_VERSION_NUMBER < 0x03000000
   switch(conn_config->version) {
   case CURL_SSLVERSION_DEFAULT:
+#if MBEDTLS_VERSION_NUMBER < 0x03000000
   case CURL_SSLVERSION_TLSv1:
   case CURL_SSLVERSION_TLSv1_0:
     ver_min = MBEDTLS_SSL_MINOR_VERSION_1;
     break;
   case CURL_SSLVERSION_TLSv1_1:
     ver_min = MBEDTLS_SSL_MINOR_VERSION_2;
     break;
-  default:;
-  }
-
-  switch(conn_config->version_max) {
-  case CURL_SSLVERSION_MAX_TLSv1_1:
-    ver_max = MBEDTLS_SSL_MINOR_VERSION_2;
-    break;
-  case CURL_SSLVERSION_MAX_TLSv1_0:
-    ver_max = MBEDTLS_SSL_MINOR_VERSION_1;
-    break;
-  default:;
-  }
-#endif
-
-  switch(conn_config->version) {
-  case CURL_SSLVERSION_DEFAULT:
+#else
   case CURL_SSLVERSION_TLSv1:
   case CURL_SSLVERSION_TLSv1_0:
   case CURL_SSLVERSION_TLSv1_1:
+#endif
   case CURL_SSLVERSION_TLSv1_2:
+    /* ver_min = MBEDTLS_SSL_VERSION_TLS1_2; */
     break;
   case CURL_SSLVERSION_TLSv1_3:
 #ifdef TLS13_SUPPORT
     ver_min = MBEDTLS_SSL_VERSION_TLS1_3;
     break;
 #endif
   default:
-    failf(data, "mbedTLS: unrecognized minimum TLS version value");
+    failf(data, "mbedTLS: unsupported minimum TLS version value");
     return CURLE_SSL_CONNECT_ERROR;
   }
 
@@ -327,11 +315,21 @@ mbed_set_ssl_version_min_max(struct Curl_easy *data,
     break;
 #endif
   case CURL_SSLVERSION_MAX_TLSv1_2:
+    /* ver_max = MBEDTLS_SSL_VERSION_TLS1_2; */
+    break;
+#if MBEDTLS_VERSION_NUMBER < 0x03000000
   case CURL_SSLVERSION_MAX_TLSv1_1:
+    ver_max = MBEDTLS_SSL_MINOR_VERSION_2;
+    break;
   case CURL_SSLVERSION_MAX_TLSv1_0:
+    ver_max = MBEDTLS_SSL_MINOR_VERSION_1;
     break;
+#else
+  case CURL_SSLVERSION_MAX_TLSv1_1:
+  case CURL_SSLVERSION_MAX_TLSv1_0:
+#endif
   default:
-    failf(data, "mbedTLS: unrecognized maximum TLS version value");
+    failf(data, "mbedTLS: unsupported maximum TLS version value");
     return CURLE_SSL_CONNECT_ERROR;
   }
 

diff --git a/lib/vtls/rustls.c b/lib/vtls/rustls.c
@@ -567,7 +567,7 @@ cr_init_backend(struct Curl_cfilter *cf, struct Curl_easy *data,
       tls_versions_len = 1;
       break;
     default:
-      failf(data, "rustls: unrecognized minimum TLS version value");
+      failf(data, "rustls: unsupported minimum TLS version value");
       return CURLE_SSL_ENGINE_INITFAILED;
     }
 

diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c
@@ -761,7 +761,7 @@ wolfssl_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data)
     break;
 #endif
   default:
-    failf(data, "wolfSSL: unrecognized minimum TLS version value");
+    failf(data, "wolfSSL: unsupported minimum TLS version value");
     return CURLE_SSL_CONNECT_ERROR;
   }
   if(res != WOLFSSL_SUCCESS) {
@@ -789,7 +789,7 @@ wolfssl_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data)
     res = WOLFSSL_SUCCESS;
     break;
   default:
-    failf(data, "wolfSSL: unrecognized maximum TLS version value");
+    failf(data, "wolfSSL: unsupported maximum TLS version value");
     return CURLE_SSL_CONNECT_ERROR;
   }
   if(res != WOLFSSL_SUCCESS) {

diff --git a/tests/http/test_17_ssl_use.py b/tests/http/test_17_ssl_use.py
@@ -244,17 +244,17 @@ def test_17_07_ssl_ciphers(self, env: Env, httpd, tls_proto, ciphers13, ciphers1
         extra_args += ['--ciphers', ':'.join(ciphers12)] if ciphers12 else []
         r = curl.http_get(url=url, alpn_proto=proto, extra_args=extra_args)
         if tls_proto != 'TLSv1.2' and succeed13:
-            assert r.exit_code == 0, f'{r}'
-            assert r.json['HTTPS'] == 'on', f'{r}'
-            assert r.json['SSL_PROTOCOL'] == 'TLSv1.3', f'{r}'
-            assert ciphers13 is None or r.json['SSL_CIPHER'] in ciphers13, f'{r}'
+            assert r.exit_code == 0, r.dump_logs()
+            assert r.json['HTTPS'] == 'on', r.dump_logs()
+            assert r.json['SSL_PROTOCOL'] == 'TLSv1.3', r.dump_logs()
+            assert ciphers13 is None or r.json['SSL_CIPHER'] in ciphers13, r.dump_logs()
         elif tls_proto == 'TLSv1.2' and succeed12:
-            assert r.exit_code == 0, f'{r}'
-            assert r.json['HTTPS'] == 'on', f'{r}'
-            assert r.json['SSL_PROTOCOL'] == 'TLSv1.2', f'{r}'
-            assert ciphers12 is None or r.json['SSL_CIPHER'] in ciphers12, f'{r}'
+            assert r.exit_code == 0, r.dump_logs()
+            assert r.json['HTTPS'] == 'on', r.dump_logs()
+            assert r.json['SSL_PROTOCOL'] == 'TLSv1.2', r.dump_logs()
+            assert ciphers12 is None or r.json['SSL_CIPHER'] in ciphers12, r.dump_logs()
         else:
-            assert r.exit_code != 0, f'{r}'
+            assert r.exit_code != 0, r.dump_logs()
 
     @pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3'])
     def test_17_08_cert_status(self, env: Env, httpd, nghttpx, repeat, proto):
@@ -276,7 +276,8 @@ def test_17_08_cert_status(self, env: Env, httpd, nghttpx, repeat, proto):
     @pytest.mark.parametrize("tls_proto, max_ver, min_ver", gen_test_17_09_list())
     def test_17_09_ssl_min_max(self, env: Env, httpd, tls_proto, max_ver, min_ver):
         httpd.set_extra_config('base', [
-            f'SSLProtocol {tls_proto}'
+            f'SSLProtocol {tls_proto}',
+            'SSLCipherSuite ALL:@SECLEVEL=0',
         ])
         httpd.reload()
         proto = 'http/1.1'
@@ -286,7 +287,7 @@ def test_17_09_ssl_min_max(self, env: Env, httpd, tls_proto, max_ver, min_ver):
         if env.curl_uses_lib('bearssl'):
             # BearSSL does not support TLSv1.3'
             supported = ['TLSv1', 'TLSv1.1', 'TLSv1.2', None]
-        if env.curl_uses_lib('sectransp'):  # not in CI, so untested
+        elif env.curl_uses_lib('sectransp'):  # not in CI, so untested
             # SecureTransport does not support TLSv1.3'
             supported = ['TLSv1', 'TLSv1.1', 'TLSv1.2', None]
         elif env.curl_uses_lib('mbedtls') and not env.curl_lib_version_at_least('mbedtls', '3.6.0'):
@@ -303,8 +304,8 @@ def test_17_09_ssl_min_max(self, env: Env, httpd, tls_proto, max_ver, min_ver):
             extra_args += ['--tls-max', ['1.0', '1.1', '1.2', '1.3'][max_ver]]
         r = curl.http_get(url=url, alpn_proto=proto, extra_args=extra_args)
         if max_ver >= min_ver and tls_proto in supported[max(0, min_ver):min(max_ver, 3)+1]:
-            assert r.exit_code == 0 , f'{r}'
-            assert r.json['HTTPS'] == 'on', f'{r}'
-            assert r.json['SSL_PROTOCOL'] == tls_proto, f'{r}'
+            assert r.exit_code == 0 , r.dump_logs()
+            assert r.json['HTTPS'] == 'on', r.dump_logs()
+            assert r.json['SSL_PROTOCOL'] == tls_proto, r.dump_logs()
         else:
-            assert r.exit_code != 0, f'{r}'
+            assert r.exit_code != 0, r.dump_logs()