From a8ff4ab2285150b8805154c1f9281d60626ea4c3 Mon Sep 17 00:00:00 2001 From: John-Mark Bell Date: Sun, 5 Mar 2023 18:15:21 +0000 Subject: fetchers/curl: tolerate lack of TLS1.3 If we are building against a modern version of libcurl, but it was built against a version of OpenSSL that does not support TLS1.3, then attempting to configure TLS1.3 ciphersuites will fail with CURLE_NOT_BUILT_IN. Tolerate this scenario by treating such a return code as non-fatal in this case. --- content/fetchers/curl.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'content/fetchers') diff --git a/content/fetchers/curl.c b/content/fetchers/curl.c index a0c26ae25..1377ec721 100644 --- a/content/fetchers/curl.c +++ b/content/fetchers/curl.c @@ -1792,8 +1792,12 @@ nserror fetch_curl_register(void) * fetch fails with "Unknown cipher in list" */ #if LIBCURL_VERSION_NUM >= 0x073d00 - /* Need libcurl 7.61.0 or later */ - SETOPT(CURLOPT_TLS13_CIPHERS, CIPHER_SUITES); + /* Need libcurl 7.61.0 or later built against OpenSSL with + * TLS1.3 support */ + code = curl_easy_setopt(fetch_blank_curl, + CURLOPT_TLS13_CIPHERS, CIPHER_SUITES); + if (code != CURLE_OK && code != CURLE_NOT_BUILT_IN) + goto curl_easy_setopt_failed; #endif SETOPT(CURLOPT_SSL_CIPHER_LIST, CIPHER_LIST); } -- cgit v1.2.3