From 9c0cd6eb5ef99dd16d3e0348bc4fdf5bf7ee1c47 Mon Sep 17 00:00:00 2001 From: Tomasz Sowa Date: Mon, 19 Dec 2022 14:17:30 +0100 Subject: [PATCH] add Http::set_ssl_version() to set the available TLS version to use --- winixd/utils/http.cpp | 14 +++++++++++ winixd/utils/http.h | 56 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 70 insertions(+) diff --git a/winixd/utils/http.cpp b/winixd/utils/http.cpp index c0652de..94b1a50 100644 --- a/winixd/utils/http.cpp +++ b/winixd/utils/http.cpp @@ -73,6 +73,8 @@ Http & Http::begin() debug_info = nullptr; follow_location = true; verify_ssl_cert = true; + forse_ssl_version = false; + ssl_version = 0; return *this; } @@ -451,6 +453,13 @@ void Http::allow_redirects(bool allow_redirects) } +void Http::set_ssl_version(long ssl_version) +{ + this->forse_ssl_version = true; + this->ssl_version = ssl_version; +} + + void Http::verify_ssl(bool verify) { this->verify_ssl_cert = verify; @@ -557,6 +566,11 @@ bool Http::fetch_internal(Method method, const char * url, const std::string * i curl_easy_setopt(curl, CURLOPT_HEADERDATA, &out_headers_stream); } + if( forse_ssl_version ) + { + curl_easy_setopt(curl, CURLOPT_SSLVERSION, ssl_version); + } + // block the Expect: 100-continue header // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect // https://httpwg.org/specs/rfc7231.html#header.expect diff --git a/winixd/utils/http.h b/winixd/utils/http.h index c0e4466..c7f2cdd 100644 --- a/winixd/utils/http.h +++ b/winixd/utils/http.h @@ -159,6 +159,60 @@ public: */ void allow_redirects(bool allow_redirects); + + /* + * set ssl version to use, values for CURLOPT_SSLVERSION + * https://curl.se/libcurl/c/CURLOPT_SSLVERSION.html + * + * CURL_SSLVERSION_DEFAULT + * The default acceptable version range. The minimum acceptable version is by default TLS v1.0 since 7.39.0 (unless the TLS library has a stricter rule). + * + * CURL_SSLVERSION_TLSv1 + * TLS v1.0 or later + * + * CURL_SSLVERSION_SSLv2 + * SSL v2 - refused + * + * CURL_SSLVERSION_SSLv3 + * SSL v3 - refused + * + * CURL_SSLVERSION_TLSv1_0 + * TLS v1.0 or later (Added in 7.34.0) + * + * CURL_SSLVERSION_TLSv1_1 + * TLS v1.1 or later (Added in 7.34.0) + * + * CURL_SSLVERSION_TLSv1_2 + * TLS v1.2 or later (Added in 7.34.0) + * + * CURL_SSLVERSION_TLSv1_3 + * TLS v1.3 or later (Added in 7.52.0) + * + * The maximum TLS version can be set by using one of the CURL_SSLVERSION_MAX_ macros below. + * It is also possible to OR one of the CURL_SSLVERSION_ macros with one of the CURL_SSLVERSION_MAX_ macros. + * The MAX macros are not supported for WolfSSL. + * CURL_SSLVERSION_MAX_DEFAULT + * + * The flag defines the maximum supported TLS version by libcurl, or the default value from the SSL library is used. + * libcurl will use a sensible default maximum, which was TLS v1.2 up to before 7.61.0 and is TLS v1.3 since + * then - assuming the TLS library support it. (Added in 7.54.0) + * CURL_SSLVERSION_MAX_TLSv1_0 + * + * The flag defines maximum supported TLS version as TLS v1.0. (Added in 7.54.0) + * CURL_SSLVERSION_MAX_TLSv1_1 + * + * The flag defines maximum supported TLS version as TLS v1.1. (Added in 7.54.0) + * CURL_SSLVERSION_MAX_TLSv1_2 + * + * The flag defines maximum supported TLS version as TLS v1.2. (Added in 7.54.0) + * CURL_SSLVERSION_MAX_TLSv1_3 + * + * The flag defines maximum supported TLS version as TLS v1.3. (Added in 7.54.0) + * In versions of curl prior to 7.54 the CURL_SSLVERSION_TLS options were documented to allow only the specified + * TLS version, but behavior was inconsistent depending on the TLS library. + */ + void set_ssl_version(long ssl_version); + /* * verify the peer's SSL certificate * default is true @@ -217,6 +271,8 @@ private: pt::Space * debug_info; bool follow_location; bool verify_ssl_cert; + bool forse_ssl_version; + long ssl_version; std::wstring temp_header; std::string temp_header_ascii;