Build-OpenSSL-cURL icon indicating copy to clipboard operation
Build-OpenSSL-cURL copied to clipboard

Published 20 hours ago verified publisher icon jasonacox

No SSLv3 Support in curl 7.83.1

Open jasonacox opened this issue 3 years ago • 0 comments

SSLv3 has been removed from curl starting in what appears to be 7.77.0. I traced it back to this commit in curl: https://github.com/curl/curl/commit/eff614fb0242cb37d33f89e2e74a93cef5203aed

Since I use curl + openssl libs in my iCurlHTTP iOS app for negative testing (to prove a server will not answer to SSLv3), I need a way to activate SSLv3. With the changes, I'm no longer able to use libcurl OpenSSL for this negative test using:

curl_easy_setopt(_curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_SSLv3);

The changes of note are in setopt.c and openssl.c. If anyone needs to patch to create a custom SSLv3 enabled version:

# for library patch setopt.c and openssl.c
sed -i '' '/version == CURL_SSLVERSION_SSLv3/d' "${CURL_VERSION}/lib/setopt.c"
patch -N "${CURL_VERSION}/lib/vtls/openssl.c" sslv3.patch

# for command line patch tool_getparam.c
sed -i '' -e 's/warnf(global, \"Ignores instruction to use SSLv3\\n\");/config->ssl_version = CURL_SSLVERSION_SSLv3;/g' "${CURL_VERSION}/src/tool_getparam.c"

sslv3.patch

--- openssl.c	2022-05-30 01:05:13.000000000 -0700
+++ openssl.c.2	2022-05-30 01:25:52.000000000 -0700
@@ -2709,8 +2709,9 @@
     failf(data, "No SSLv2 support");
     return CURLE_NOT_BUILT_IN;
   case CURL_SSLVERSION_SSLv3:
-    failf(data, "No SSLv3 support");
-    return CURLE_NOT_BUILT_IN;
+    req_method = SSLv3_client_method();
+    use_sni(FALSE);
+    break;
   default:
     failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
     return CURLE_SSL_CONNECT_ERROR;
@@ -2798,9 +2799,18 @@
 
   switch(ssl_version) {
     case CURL_SSLVERSION_SSLv2:
-    case CURL_SSLVERSION_SSLv3:
       return CURLE_NOT_BUILT_IN;
 
+    case CURL_SSLVERSION_SSLv3:
+      SSL_CTX_set_min_proto_version(backend->ctx, SSL3_VERSION);
+      SSL_CTX_set_max_proto_version(backend->ctx, SSL3_VERSION);
+      ctx_options |= SSL_OP_NO_SSLv2;
+      ctx_options |= SSL_OP_NO_TLSv1;
+      ctx_options |= SSL_OP_NO_TLSv1_1;
+      ctx_options |= SSL_OP_NO_TLSv1_2;
+      ctx_options |= SSL_OP_NO_TLSv1_3;
+      break;
+
     /* "--tlsv<x.y>" options mean TLS >= version <x.y> */
     case CURL_SSLVERSION_DEFAULT:
     case CURL_SSLVERSION_TLSv1: /* TLS >= version 1.0 */

I made this change in the latest version, 7.83.1 with success. I will add this to the build script for those who specify the -3 option to build SSLv3.

jasonacox avatar May 30 '22 09:05 jasonacox