From b2242c57e17fa71734c60aa9872970f4477a4bd5 Mon Sep 17 00:00:00 2001
From: John-Mark Bell <jmb@netsurf-browser.org>
Date: Wed, 15 Oct 2014 12:02:25 +0100
Subject: HTTPS: disable all SSL versions; emit fallback SCSV on downgrade.

This removes all support for SSL and (with help from servers that
support the fallback SCSV) protects against inappropriate protocol
downgrade.
---
 content/fetchers/curl.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'content/fetchers')

diff --git a/content/fetchers/curl.c b/content/fetchers/curl.c
index 4bd72a20e..b3a4b9f38 100644
--- a/content/fetchers/curl.c
+++ b/content/fetchers/curl.c
@@ -693,7 +693,7 @@ fetch_curl_sslctxfun(CURL *curl_handle, void *_sslctx, void *parm)
 {
 	struct curl_fetch_info *f = (struct curl_fetch_info *) parm;
 	SSL_CTX *sslctx = _sslctx;
-	long options = SSL_OP_ALL;
+	long options = SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
 
 	SSL_CTX_set_verify(sslctx, SSL_VERIFY_PEER, fetch_curl_verify_callback);
 	SSL_CTX_set_cert_verify_callback(sslctx, fetch_curl_cert_verify_callback,
@@ -706,6 +706,10 @@ fetch_curl_sslctxfun(CURL *curl_handle, void *_sslctx, void *parm)
 #endif
 #ifdef SSL_OP_NO_TLSv1_2
 		options |= SSL_OP_NO_TLSv1_2;
+#endif
+#ifdef SSL_MODE_SEND_FALLBACK_SCSV
+		/* Ensure server rejects the connection if downgraded too far */
+		SSL_CTX_set_mode(sslctx, SSL_MODE_SEND_FALLBACK_SCSV);
 #endif
 	}
 
-- 
cgit v1.2.3