summaryrefslogtreecommitdiff
path: root/content/fetchers
diff options
context:
space:
mode:
authorJohn-Mark Bell <jmb@netsurf-browser.org>2014-10-15 12:02:25 +0100
committerJohn-Mark Bell <jmb@netsurf-browser.org>2014-10-15 12:02:25 +0100
commitb2242c57e17fa71734c60aa9872970f4477a4bd5 (patch)
tree7807a06505c2beb5402b4de409a3bb749c6555b9 /content/fetchers
parent11faa1cef86c155c6fed28e3d6b51a77239d464c (diff)
downloadnetsurf-b2242c57e17fa71734c60aa9872970f4477a4bd5.tar.gz
netsurf-b2242c57e17fa71734c60aa9872970f4477a4bd5.tar.bz2
HTTPS: disable all SSL versions; emit fallback SCSV on downgrade.
This removes all support for SSL and (with help from servers that support the fallback SCSV) protects against inappropriate protocol downgrade.
Diffstat (limited to 'content/fetchers')
-rw-r--r--content/fetchers/curl.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/content/fetchers/curl.c b/content/fetchers/curl.c
index 4bd72a20e..b3a4b9f38 100644
--- a/content/fetchers/curl.c
+++ b/content/fetchers/curl.c
@@ -693,7 +693,7 @@ fetch_curl_sslctxfun(CURL *curl_handle, void *_sslctx, void *parm)
{
struct curl_fetch_info *f = (struct curl_fetch_info *) parm;
SSL_CTX *sslctx = _sslctx;
- long options = SSL_OP_ALL;
+ long options = SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
SSL_CTX_set_verify(sslctx, SSL_VERIFY_PEER, fetch_curl_verify_callback);
SSL_CTX_set_cert_verify_callback(sslctx, fetch_curl_cert_verify_callback,
@@ -707,6 +707,10 @@ fetch_curl_sslctxfun(CURL *curl_handle, void *_sslctx, void *parm)
#ifdef SSL_OP_NO_TLSv1_2
options |= SSL_OP_NO_TLSv1_2;
#endif
+#ifdef SSL_MODE_SEND_FALLBACK_SCSV
+ /* Ensure server rejects the connection if downgraded too far */
+ SSL_CTX_set_mode(sslctx, SSL_MODE_SEND_FALLBACK_SCSV);
+#endif
}
SSL_CTX_set_options(sslctx, options);