Scripts to build OpenSSL, HTTP/2 (nghttp2) and cURL (libcurl) for MacOS, iOS and tvOS devices (x86_64, armv7, armv7s, arm64, arm64e). Now Supporting Apple Silicon, OpenSSL 3.0.x with TLS 1.3 and Mac Catalyst builds.
Since I use curl + openssl libs in my iCurlHTTP iOS app for negative testing (to prove a server will not answer to SSLv3), I need a way to activate SSLv3. With the changes, I'm no longer able to use libcurl OpenSSL for this negative test using:
The changes of note are in setopt.c and openssl.c. If anyone needs to patch to create a custom SSLv3 enabled version:
# for library patch setopt.c and openssl.c
sed -i '' '/version == CURL_SSLVERSION_SSLv3/d' "${CURL_VERSION}/lib/setopt.c"
patch -N "${CURL_VERSION}/lib/vtls/openssl.c" sslv3.patch
# for command line patch tool_getparam.c
sed -i '' -e 's/warnf(global, \"Ignores instruction to use SSLv3\\n\");/config->ssl_version = CURL_SSLVERSION_SSLv3;/g' "${CURL_VERSION}/src/tool_getparam.c"
sslv3.patch
--- openssl.c 2022-05-30 01:05:13.000000000 -0700
+++ openssl.c.2 2022-05-30 01:25:52.000000000 -0700
@@ -2709,8 +2709,9 @@
failf(data, "No SSLv2 support");
return CURLE_NOT_BUILT_IN;
case CURL_SSLVERSION_SSLv3:
- failf(data, "No SSLv3 support");
- return CURLE_NOT_BUILT_IN;
+ req_method = SSLv3_client_method();
+ use_sni(FALSE);
+ break;
default:
failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
return CURLE_SSL_CONNECT_ERROR;
@@ -2798,9 +2799,18 @@
switch(ssl_version) {
case CURL_SSLVERSION_SSLv2:
- case CURL_SSLVERSION_SSLv3:
return CURLE_NOT_BUILT_IN;
+ case CURL_SSLVERSION_SSLv3:
+ SSL_CTX_set_min_proto_version(backend->ctx, SSL3_VERSION);
+ SSL_CTX_set_max_proto_version(backend->ctx, SSL3_VERSION);
+ ctx_options |= SSL_OP_NO_SSLv2;
+ ctx_options |= SSL_OP_NO_TLSv1;
+ ctx_options |= SSL_OP_NO_TLSv1_1;
+ ctx_options |= SSL_OP_NO_TLSv1_2;
+ ctx_options |= SSL_OP_NO_TLSv1_3;
+ break;
+
/* "--tlsv<x.y>" options mean TLS >= version <x.y> */
case CURL_SSLVERSION_DEFAULT:
case CURL_SSLVERSION_TLSv1: /* TLS >= version 1.0 */
I made this change in the latest version, 7.83.1 with success. I will add this to the build script for those who specify the -3 option to build SSLv3.
SSLv3 has been removed from curl starting in what appears to be 7.77.0. I traced it back to this commit in curl: https://github.com/curl/curl/commit/eff614fb0242cb37d33f89e2e74a93cef5203aed
Since I use curl + openssl libs in my iCurlHTTP iOS app for negative testing (to prove a server will not answer to SSLv3), I need a way to activate SSLv3. With the changes, I'm no longer able to use libcurl OpenSSL for this negative test using:
The changes of note are in
setopt.candopenssl.c. If anyone needs to patch to create a custom SSLv3 enabled version:sslv3.patch
I made this change in the latest version, 7.83.1 with success. I will add this to the build script for those who specify the
-3option to build SSLv3.