#1280 Can't use curl with TLSv1.2 (OpenSSL)

[NGG]

I'd like to use TLSv1.2 with curl, but currently there is no option for that.
If I choose CURL_SSLVERSION_DEFAULT, then it can use TLSv1.2 but it also enables SSLv3, and our client would be vulnerable to version rollback attacks.
If I choose CURL_SSLVERSION_TLSv1, then it can only use TLSv1 but not TLSv1.2.

[Daniel Stenberg]

Yeps, we need to provide more options to libcurl and the associated code changes to make sure we can support them. Have you checked what's required for us to do this with OpenSSL?

[NGG]

The most flexible way in OpenSSL to choose exactly what versions should be accepted is to always use SSLv23_client_method, but set the exact versions in the context options.
There are currently 5 flags that can be set in the options:
SSL_OP_NO_SSLv2, SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1_2

[Daniel Stenberg]

You up to writing a patch to use this approach and add some new protocol defines?

[NGG]

I added a pull request: https://github.com/bagder/curl/pull/79
See my comments in the commit message.

[Daniel Stenberg]

The suggested patch has been merged, this is now fixed in git starting with commit ad34a2d5c87