From 53e92ed57b4be2084a39a902c699859a5e10a544 Mon Sep 17 00:00:00 2001
From: John-Mark Bell <jmb@netsurf-browser.org>
Date: Sat, 5 Nov 2022 12:34:46 +0000
Subject: fetchers/curl: explicitly configure TLS1.3 ciphersuites

These currently match the defaults, so no functional change.
---
 content/fetchers/curl.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

(limited to 'content')

diff --git a/content/fetchers/curl.c b/content/fetchers/curl.c
index d36f44c09..824b0b318 100644
--- a/content/fetchers/curl.c
+++ b/content/fetchers/curl.c
@@ -67,7 +67,15 @@
 #define UPDATES_PER_SECOND 2
 
 /**
- * The ciphersuites the browser is prepared to use
+ * The ciphersuites the browser is prepared to use for TLS1.3
+ */
+#define CIPHER_SUITES						\
+	"TLS_AES_256_GCM_SHA384:"				\
+	"TLS_CHACHA20_POLY1305_SHA256:"				\
+	"TLS_AES_128_GCM_SHA256"
+
+/**
+ * The ciphersuites the browser is prepared to use for TLS<1.3
  */
 #define CIPHER_LIST						\
 	/* disable everything */				\
@@ -1785,6 +1793,10 @@ nserror fetch_curl_register(void)
 		/* only set the cipher list with openssl otherwise the
 		 *  fetch fails with "Unknown cipher in list"
 		 */
+#if LIBCURL_VERSION_NUM >= 0x073d00
+		/* Need libcurl 7.61.0 or later */
+		SETOPT(CURLOPT_TLS13_CIPHERS, CIPHER_SUITES);
+#endif
 		SETOPT(CURLOPT_SSL_CIPHER_LIST, CIPHER_LIST);
 	}
 
-- 
cgit v1.2.3