首页 发现 帮助
注册 登录
hebinlong
/
aria2
1
0
派生 0
文件 工单管理 0 合并请求 0 Wiki
浏览代码

Add --min-tls-version option

The --min-tls-version option specifies minimum SSL/TLS version to
enable. Possible Values: SSLv3, TLSv1, TLSv1.1, TLSv1.2 Default: TLSv1
Tatsuhiro Tsujikawa 11 年之前
父节点
62fba76666
当前提交
73d752fb1c
共有 19 个文件被更改,包括 183 次插入33 次删除
合并视图 显示文件统计
  1. 6 0
      doc/manual-src/en/aria2c.rst
  2. 2 2
      src/AppleTLSContext.cc
  3. 8 2
      src/AppleTLSContext.h
  4. 27 5
      src/AppleTLSSession.cc
  5. 4 3
      src/LibgnutlsTLSContext.cc
  6. 7 1
      src/LibgnutlsTLSContext.h
  7. 14 1
      src/LibgnutlsTLSSession.cc
  8. 20 5
      src/LibsslTLSContext.cc
  9. 1 1
      src/LibsslTLSContext.h
  10. 6 2
      src/MultiUrlRequestInfo.cc
  11. 11 0
      src/OptionHandlerFactory.cc
  12. 8 1
      src/TLSContext.h
  13. 31 9
      src/WinTLSContext.cc
  14. 1 1
      src/WinTLSContext.h
  15. 6 0
      src/prefs.cc
  16. 6 0
      src/prefs.h
  17. 2 0
      src/usage_text.h
  18. 17 0
      src/util.cc
  19. 6 0
      src/util.h

+ 6 - 0
doc/manual-src/en/aria2c.rst
查看文件 

@@ -1321,6 +1321,12 @@ Advanced Options
 
   given URIs do not support resume.  See :option:`--always-resume` option.
 
   given URIs do not support resume.  See :option:`--always-resume` option.
 
   Default: ``0``
 
   Default: ``0``
 
 
 
+.. option:: --min-tls-version=<VERSION>
 
+
 
+  Specify minimum SSL/TLS version to enable.
 
+  Possible Values: ``SSLv3``, ``TLSv1``, ``TLSv1.1``, ``TLSv1.2``
 
+  Default: ``TLSv1``
 
+
 
 .. option:: --log-level=<LEVEL>
 
 .. option:: --log-level=<LEVEL>
 
 
 
   Set log level to output.
 
   Set log level to output.

+ 2 - 2
src/AppleTLSContext.cc
查看文件 

@@ -195,9 +195,9 @@ bool checkIdentity(const SecIdentityRef id,
 
 
 
 namespace aria2 {
 
 namespace aria2 {
 
 
 
-TLSContext* TLSContext::make(TLSSessionSide side)
 
+TLSContext* TLSContext::make(TLSSessionSide side, TLSVersion ver)
 
 {
 
 {
 
-  return new AppleTLSContext(side);
 
+  return new AppleTLSContext(side, ver);
 
 }
 
 }
 
 
 
 AppleTLSContext::~AppleTLSContext()
 
 AppleTLSContext::~AppleTLSContext()

+ 8 - 2
src/AppleTLSContext.h
查看文件 

@@ -49,8 +49,8 @@ namespace aria2 {
 
 class AppleTLSContext : public TLSContext
 
 class AppleTLSContext : public TLSContext
 
 {
 
 {
 
 public:
 
 public:
 
-  AppleTLSContext(TLSSessionSide side)
 
-    : side_(side), verifyPeer_(true), credentials_(nullptr)
 
+  AppleTLSContext(TLSSessionSide side, TLSVersion ver)
 
+    : side_(side), minTLSVer_(ver), verifyPeer_(true), credentials_(nullptr)
 
   {}
 
   {}
 
 
 
   virtual ~AppleTLSContext();
 
   virtual ~AppleTLSContext();
 
@@ -89,8 +89,14 @@ public:
 
 
 
   SecIdentityRef getCredentials();
 
   SecIdentityRef getCredentials();
 
 
 
+  TLSVersion getMinTLSVersion() const
 
+  {
 
+    return minTLSVer_;
 
+  }
 
+
 
 private:
 
 private:
 
   TLSSessionSide side_;
 
   TLSSessionSide side_;
 
+  TLSVersion minTLSVer_;
 
   bool verifyPeer_;
 
   bool verifyPeer_;
 
   SecIdentityRef credentials_;
 
   SecIdentityRef credentials_;

+ 27 - 5
src/AppleTLSSession.cc
查看文件 

@@ -362,14 +362,36 @@ AppleTLSSession::AppleTLSSession(AppleTLSContext* ctx)
 
     return;
 
     return;
 
   }
 
   }
 
 #if defined(__MAC_10_8)
 
 #if defined(__MAC_10_8)
 
-  (void)SSLSetProtocolVersionMin(sslCtx_, kSSLProtocol3);
 
+  switch (ctx->getMinTLSVersion()) {
 
+  case TLS_PROTO_SSL3:
 
+    (void)SSLSetProtocolVersionMin(sslCtx_, kSSLProtocol3);
 
+    break;
 
+  case TLS_PROTO_TLS10:
 
+    (void)SSLSetProtocolVersionMin(sslCtx_, kSSLProtocol1);
 
+    break;
 
+  case TLS_PROTO_TLS11:
 
+    (void)SSLSetProtocolVersionMin(sslCtx_, kSSLProtocol11);
 
+    break;
 
+  case TLS_PROTO_TLS12:
 
+    (void)SSLSetProtocolVersionMin(sslCtx_, kSSLProtocol12);
 
+    break;
 
+  }
 
   (void)SSLSetProtocolVersionMax(sslCtx_, kTLSProtocol12);
 
   (void)SSLSetProtocolVersionMax(sslCtx_, kTLSProtocol12);
 
 #else
 
 #else
 
   (void)SSLSetProtocolVersionEnabled(sslCtx_, kSSLProtocolAll, false);
 
   (void)SSLSetProtocolVersionEnabled(sslCtx_, kSSLProtocolAll, false);
 
-  (void)SSLSetProtocolVersionEnabled(sslCtx_, kSSLProtocol3, true);
 
-  (void)SSLSetProtocolVersionEnabled(sslCtx_, kTLSProtocol1, true);
 
-  (void)SSLSetProtocolVersionEnabled(sslCtx_, kTLSProtocol11, true);
 
-  (void)SSLSetProtocolVersionEnabled(sslCtx_, kTLSProtocol12, true);
 
+  switch (ctx->getMinTLSVersion()) {
 
+  case TLS_PROTO_SSL3:
 
+    (void)SSLSetProtocolVersionEnabled(sslCtx_, kSSLProtocol3, true);
 
+    // fall through
 
+  case TLS_PROTO_TLS10:
 
+    (void)SSLSetProtocolVersionEnabled(sslCtx_, kTLSProtocol1, true);
 
+    // fall through
 
+  case TLS_PROTO_TLS11:
 
+    (void)SSLSetProtocolVersionEnabled(sslCtx_, kTLSProtocol11, true);
 
+    // fall through
 
+  case TLS_PROTO_TLS12:
 
+    (void)SSLSetProtocolVersionEnabled(sslCtx_, kTLSProtocol12, true);
 
+  }
 
 #endif
 
 #endif
 
 
 
   // BEAST
 
   // BEAST

+ 4 - 3
src/LibgnutlsTLSContext.cc
查看文件 

@@ -49,14 +49,15 @@
 
 
 
 namespace aria2 {
 
 namespace aria2 {
 
 
 
-TLSContext* TLSContext::make(TLSSessionSide side)
 
+TLSContext* TLSContext::make(TLSSessionSide side, TLSVersion ver)
 
 {
 
 {
 
-  return new GnuTLSContext(side);
 
+  return new GnuTLSContext(side, ver);
 
 }
 
 }
 
 
 
-GnuTLSContext::GnuTLSContext(TLSSessionSide side)
 
+GnuTLSContext::GnuTLSContext(TLSSessionSide side, TLSVersion ver)
 
   : certCred_(0),
 
   : certCred_(0),
 
     side_(side),
 
     side_(side),
 
+    minTLSVer_(ver),
 
     verifyPeer_(true)
 
     verifyPeer_(true)
 
 {
 
 {
 
   int r = gnutls_certificate_allocate_credentials(&certCred_);
 
   int r = gnutls_certificate_allocate_credentials(&certCred_);

+ 7 - 1
src/LibgnutlsTLSContext.h
查看文件 

@@ -46,7 +46,7 @@ namespace aria2 {
 
 
 
 class GnuTLSContext : public TLSContext {
 
 class GnuTLSContext : public TLSContext {
 
 public:
 
 public:
 
-  GnuTLSContext(TLSSessionSide side);
 
+  GnuTLSContext(TLSSessionSide side, TLSVersion ver);
 
 
 
   virtual ~GnuTLSContext();
 
   virtual ~GnuTLSContext();
 
 
 
@@ -79,9 +79,15 @@ public:
 
 
 
   gnutls_certificate_credentials_t getCertCred() const;
 
   gnutls_certificate_credentials_t getCertCred() const;
 
 
 
+  TLSVersion getMinTLSVersion() const
 
+  {
 
+    return minTLSVer_;
 
+  }
 
+
 
 private:
 
 private:
 
   gnutls_certificate_credentials_t certCred_;
 
   gnutls_certificate_credentials_t certCred_;
 
   TLSSessionSide side_;
 
   TLSSessionSide side_;
 
+  TLSVersion minTLSVer_;
 
   bool good_;
 
   bool good_;
 
   bool verifyPeer_;
 
   bool verifyPeer_;
 
 };
 
 };

+ 14 - 1
src/LibgnutlsTLSSession.cc
查看文件 

@@ -107,7 +107,20 @@ int GnuTLSSession::init(sock_t sockfd)
 
   // It seems err is not error message, but the argument string
 
   // It seems err is not error message, but the argument string
 
   // which causes syntax error.
 
   // which causes syntax error.
 
   const char* err;
 
   const char* err;
 
-  rv_ = gnutls_priority_set_direct(sslSession_, "SECURE128:-VERS-SSL3.0", &err);
 
+  std::string pri = "SECURE128";
 
+  switch(tlsContext_->getMinTLSVersion()) {
 
+  case TLS_PROTO_TLS12:
 
+    pri += ":-VERS-TLS1.1";
 
+    // fall through
 
+  case TLS_PROTO_TLS11:
 
+    pri += ":-VERS-TLS1.0";
 
+    // fall through
 
+  case TLS_PROTO_TLS10:
 
+    pri += ":-VERS-SSL3.0";
 
+  default:
 
+    break;
 
+  };
 
+  rv_ = gnutls_priority_set_direct(sslSession_, pri.c_str(), &err);
 
   if(rv_ != GNUTLS_E_SUCCESS) {
 
   if(rv_ != GNUTLS_E_SUCCESS) {
 
     return TLS_ERR_ERROR;
 
     return TLS_ERR_ERROR;
 
   }
 
   }

+ 20 - 5
src/LibsslTLSContext.cc
查看文件 

@@ -81,12 +81,12 @@ namespace {
 
 
 
 namespace aria2 {
 
 namespace aria2 {
 
 
 
-TLSContext* TLSContext::make(TLSSessionSide side)
 
+TLSContext* TLSContext::make(TLSSessionSide side, TLSVersion minVer)
 
 {
 
 {
 
-  return new OpenSSLTLSContext(side);
 
+  return new OpenSSLTLSContext(side, minVer);
 
 }
 
 }
 
 
 
-OpenSSLTLSContext::OpenSSLTLSContext(TLSSessionSide side)
 
+OpenSSLTLSContext::OpenSSLTLSContext(TLSSessionSide side, TLSVersion minVer)
 
   : sslCtx_(nullptr),
 
   : sslCtx_(nullptr),
 
     side_(side),
 
     side_(side),
 
     verifyPeer_(true)
 
     verifyPeer_(true)
 
@@ -100,8 +100,23 @@ OpenSSLTLSContext::OpenSSLTLSContext(TLSSessionSide side)
 
                      ERR_error_string(ERR_get_error(), nullptr)));
 
                      ERR_error_string(ERR_get_error(), nullptr)));
 
     return;
 
     return;
 
   }
 
   }
 
-  // Disable SSLv2/3 and enable all workarounds for buggy servers
 
-  SSL_CTX_set_options(sslCtx_, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3
 
+
 
+  long ver_opts = 0;
 
+  switch(minVer) {
 
+  case TLS_PROTO_TLS12:
 
+    ver_opts |= SSL_OP_NO_TLSv1_1;
 
+    // fall through
 
+  case TLS_PROTO_TLS11:
 
+    ver_opts |= SSL_OP_NO_TLSv1;
 
+    // fall through
 
+  case TLS_PROTO_TLS10:
 
+    ver_opts |= SSL_OP_NO_SSLv3;
 
+  default:
 
+    break;
 
+  };
 
+
 
+  // Disable SSLv2 and enable all workarounds for buggy servers
 
+  SSL_CTX_set_options(sslCtx_, SSL_OP_ALL | SSL_OP_NO_SSLv2 | ver_opts
 
 #ifdef SSL_OP_SINGLE_ECDH_USE
 
 #ifdef SSL_OP_SINGLE_ECDH_USE
 
                       | SSL_OP_SINGLE_ECDH_USE
 
                       | SSL_OP_SINGLE_ECDH_USE
 
 #endif // SSL_OP_SINGLE_ECDH_USE
 
 #endif // SSL_OP_SINGLE_ECDH_USE

+ 1 - 1
src/LibsslTLSContext.h
查看文件 

@@ -48,7 +48,7 @@ namespace aria2 {
 
 
 
 class OpenSSLTLSContext : public TLSContext {
 
 class OpenSSLTLSContext : public TLSContext {
 
 public:
 
 public:
 
-  OpenSSLTLSContext(TLSSessionSide side);
 
+  OpenSSLTLSContext(TLSSessionSide side, TLSVersion minVer);
 
 
 
   ~OpenSSLTLSContext();
 
   ~OpenSSLTLSContext();

+ 6 - 2
src/MultiUrlRequestInfo.cc
查看文件 

@@ -188,7 +188,9 @@ int MultiUrlRequestInfo::prepare()
 
       }
 
       }
 
       // We set server TLS context to the SocketCore before creating
 
       // We set server TLS context to the SocketCore before creating
 
       // DownloadEngine instance.
 
       // DownloadEngine instance.
 
-      std::shared_ptr<TLSContext> svTlsContext(TLSContext::make(TLS_SERVER));
 
+      auto minTLSVer = util::toTLSVersion(option_->get(PREF_MIN_TLS_VERSION));
 
+      std::shared_ptr<TLSContext> svTlsContext
 
+        (TLSContext::make(TLS_SERVER, minTLSVer));
 
       if(!svTlsContext->addCredentialFile
 
       if(!svTlsContext->addCredentialFile
 
          (option_->get(PREF_RPC_CERTIFICATE),
 
          (option_->get(PREF_RPC_CERTIFICATE),
 
           option_->get(PREF_RPC_PRIVATE_KEY))) {
 
           option_->get(PREF_RPC_PRIVATE_KEY))) {
 
@@ -245,7 +247,9 @@ int MultiUrlRequestInfo::prepare()
 
     e_->setAuthConfigFactory(std::move(authConfigFactory));
 
     e_->setAuthConfigFactory(std::move(authConfigFactory));
 
 
 
 #ifdef ENABLE_SSL
 
 #ifdef ENABLE_SSL
 
-    std::shared_ptr<TLSContext> clTlsContext(TLSContext::make(TLS_CLIENT));
 
+    auto minTLSVer = util::toTLSVersion(option_->get(PREF_MIN_TLS_VERSION));
 
+    std::shared_ptr<TLSContext> clTlsContext
 
+      (TLSContext::make(TLS_CLIENT, minTLSVer));
 
     if(!option_->blank(PREF_CERTIFICATE)) {
 
     if(!option_->blank(PREF_CERTIFICATE)) {
 
       clTlsContext->addCredentialFile(option_->get(PREF_CERTIFICATE),
 
       clTlsContext->addCredentialFile(option_->get(PREF_CERTIFICATE),
 
                                       option_->get(PREF_PRIVATE_KEY));
 
                                       option_->get(PREF_PRIVATE_KEY));

+ 11 - 0
src/OptionHandlerFactory.cc
查看文件 

@@ -584,6 +584,17 @@ std::vector<OptionHandler*> OptionHandlerFactory::createOptionHandlers()
 
     op->setChangeOptionForReserved(true);
 
     op->setChangeOptionForReserved(true);
 
     handlers.push_back(op);
 
     handlers.push_back(op);
 
   }
 
   }
 
+#ifdef ENABLE_SSL
 
+  {
 
+    OptionHandler* op(new ParameterOptionHandler
 
+                      (PREF_MIN_TLS_VERSION,
 
+                       TEXT_MIN_TLS_VERSION,
 
+                       A2_V_TLS10,
 
+                       { A2_V_SSL3, A2_V_TLS10, A2_V_TLS11, A2_V_TLS12 }));
 
+    op->addTag(TAG_ADVANCED);
 
+    handlers.push_back(op);
 
+  }
 
+#endif // ENABLE_SSL
 
   {
 
   {
 
     OptionHandler* op(new BooleanOptionHandler
 
     OptionHandler* op(new BooleanOptionHandler
 
                       (PREF_NO_CONF,
 
                       (PREF_NO_CONF,

+ 8 - 1
src/TLSContext.h
查看文件 

@@ -46,9 +46,16 @@ enum TLSSessionSide {
 
   TLS_SERVER
 
   TLS_SERVER
 
 };
 
 };
 
 
 
+enum TLSVersion {
 
+  TLS_PROTO_SSL3,
 
+  TLS_PROTO_TLS10,
 
+  TLS_PROTO_TLS11,
 
+  TLS_PROTO_TLS12,
 
+};
 
+
 
 class TLSContext {
 
 class TLSContext {
 
 public:
 
 public:
 
-  static TLSContext* make(TLSSessionSide side);
 
+  static TLSContext* make(TLSSessionSide side, TLSVersion minVer);
 
   virtual ~TLSContext() {}
 
   virtual ~TLSContext() {}
 
 
 
   // private key `keyfile' must be decrypted.
 
   // private key `keyfile' must be decrypted.

+ 31 - 9
src/WinTLSContext.cc
查看文件 

@@ -63,28 +63,50 @@
 
 
 
 namespace aria2 {
 
 namespace aria2 {
 
 
 
-WinTLSContext::WinTLSContext(TLSSessionSide side) : side_(side), store_(0)
 
+WinTLSContext::WinTLSContext(TLSSessionSide side, TLSVersion ver)
 
+  : side_(side), store_(0)
 
 {
 
 {
 
   memset(&credentials_, 0, sizeof(credentials_));
 
   memset(&credentials_, 0, sizeof(credentials_));
 
   credentials_.dwVersion = SCHANNEL_CRED_VERSION;
 
   credentials_.dwVersion = SCHANNEL_CRED_VERSION;
 
+  credentials_.grbitEnabledProtocols = 0;
 
   if (side_ == TLS_CLIENT) {
 
   if (side_ == TLS_CLIENT) {
 
-    credentials_.grbitEnabledProtocols =
 
-        SP_PROT_SSL3_CLIENT | SP_PROT_TLS1_CLIENT | SP_PROT_TLS1_1_CLIENT |
 
-        SP_PROT_TLS1_2_CLIENT;
 
+    switch (ver) {
 
+    case TLS_PROTO_SSL3:
 
+      credentials_.grbitEnabledProtocols |= SP_PROT_SSL3_CLIENT;
 
+      // fall through
 
+    case TLS_PROTO_TLS10:
 
+      credentials_.grbitEnabledProtocols |= SP_PROT_TLS1_CLIENT;
 
+      // fall through
 
+    case TLS_PROTO_TLS11:
 
+      credentials_.grbitEnabledProtocols |= SP_PROT_TLS1_1_CLIENT;
 
+      // fall through
 
+    case TLS_PROTO_TLS12:
 
+      credentials_.grbitEnabledProtocols |= SP_PROT_TLS1_2_CLIENT;
 
+    }
 
   }
 
   }
 
   else {
 
   else {
 
-    credentials_.grbitEnabledProtocols =
 
-        SP_PROT_SSL3_SERVER | SP_PROT_TLS1_SERVER | SP_PROT_TLS1_1_SERVER |
 
-        SP_PROT_TLS1_2_SERVER;
 
+    switch (ver) {
 
+    case TLS_PROTO_SSL3:
 
+      credentials_.grbitEnabledProtocols |= SP_PROT_SSL3_SERVER;
 
+      // fall through
 
+    case TLS_PROTO_TLS10:
 
+      credentials_.grbitEnabledProtocols |= SP_PROT_TLS1_SERVER;
 
+      // fall through
 
+    case TLS_PROTO_TLS11:
 
+      credentials_.grbitEnabledProtocols |= SP_PROT_TLS1_1_SERVER;
 
+      // fall through
 
+    case TLS_PROTO_TLS12:
 
+      credentials_.grbitEnabledProtocols |= SP_PROT_TLS1_2_SERVER;
 
+    }
 
   }
 
   }
 
   credentials_.dwMinimumCipherStrength = 128; // bit
 
   credentials_.dwMinimumCipherStrength = 128; // bit
 
 
 
   setVerifyPeer(side_ == TLS_CLIENT);
 
   setVerifyPeer(side_ == TLS_CLIENT);
 
 }
 
 }
 
 
 
-TLSContext* TLSContext::make(TLSSessionSide side)
 
+TLSContext* TLSContext::make(TLSSessionSide side, TLSVersion ver)
 
 {
 
 {
 
-  return new WinTLSContext(side);
 
+  return new WinTLSContext(side, ver);
 
 }
 
 }
 
 
 
 WinTLSContext::~WinTLSContext()
 
 WinTLSContext::~WinTLSContext()

+ 1 - 1
src/WinTLSContext.h
查看文件 

@@ -67,7 +67,7 @@ typedef std::unique_ptr<CredHandle, cred_deleter> CredPtr;
 
 class WinTLSContext : public TLSContext
 
 class WinTLSContext : public TLSContext
 
 {
 
 {
 
 public:
 
 public:
 
-  WinTLSContext(TLSSessionSide side);
 
+  WinTLSContext(TLSSessionSide side, TLSVersion ver);
 
 
 
   virtual ~WinTLSContext();
 
   virtual ~WinTLSContext();

+ 6 - 0
src/prefs.cc
查看文件 

@@ -169,6 +169,10 @@ const std::string V_ARC4("arc4");
 
 const std::string V_HTTP("http");
 
 const std::string V_HTTP("http");
 
 const std::string V_HTTPS("https");
 
 const std::string V_HTTPS("https");
 
 const std::string V_FTP("ftp");
 
 const std::string V_FTP("ftp");
 
+const std::string A2_V_SSL3("SSLv3");
 
+const std::string A2_V_TLS10("TLSv1");
 
+const std::string A2_V_TLS11("TLSv1.1");
 
+const std::string A2_V_TLS12("TLSv1.2");
 
 
 
 PrefPtr PREF_VERSION = makePref("version");
 
 PrefPtr PREF_VERSION = makePref("version");
 
 PrefPtr PREF_HELP = makePref("help");
 
 PrefPtr PREF_HELP = makePref("help");
 
@@ -367,6 +371,8 @@ PrefPtr PREF_DSCP = makePref("dscp");
 
 PrefPtr PREF_PAUSE_METADATA = makePref("pause-metadata");
 
 PrefPtr PREF_PAUSE_METADATA = makePref("pause-metadata");
 
 // values: 1*digit
 
 // values: 1*digit
 
 PrefPtr PREF_RLIMIT_NOFILE = makePref("rlimit-nofile");
 
 PrefPtr PREF_RLIMIT_NOFILE = makePref("rlimit-nofile");
 
+// vlaues: SSLv3 | TLSv1 | TLSv1.1 | TLSv1.2
 
+PrefPtr PREF_MIN_TLS_VERSION = makePref("min-tls-version");
 
 
 
 /**
 
 /**
 
  * FTP related preferences
 
  * FTP related preferences

+ 6 - 0
src/prefs.h
查看文件 

@@ -105,6 +105,10 @@ extern const std::string V_ARC4;
 
 extern const std::string V_HTTP;
 
 extern const std::string V_HTTP;
 
 extern const std::string V_HTTPS;
 
 extern const std::string V_HTTPS;
 
 extern const std::string V_FTP;
 
 extern const std::string V_FTP;
 
+extern const std::string A2_V_SSL3;
 
+extern const std::string A2_V_TLS10;
 
+extern const std::string A2_V_TLS11;
 
+extern const std::string A2_V_TLS12;
 
 
 
 extern PrefPtr PREF_VERSION;
 
 extern PrefPtr PREF_VERSION;
 
 extern PrefPtr PREF_HELP;
 
 extern PrefPtr PREF_HELP;
 
@@ -304,6 +308,8 @@ extern PrefPtr PREF_DSCP;
 
 extern PrefPtr PREF_PAUSE_METADATA;
 
 extern PrefPtr PREF_PAUSE_METADATA;
 
 // values: 1*digit
 
 // values: 1*digit
 
 extern PrefPtr PREF_RLIMIT_NOFILE;
 
 extern PrefPtr PREF_RLIMIT_NOFILE;
 
+// vlaues: SSLv3 | TLSv1 | TLSv1.1 | TLSv1.2
 
+extern PrefPtr PREF_MIN_TLS_VERSION;
 
 
 
 /**
 
 /**
 
  * FTP related preferences
 
  * FTP related preferences

+ 2 - 0
src/usage_text.h
查看文件 

@@ -1011,3 +1011,5 @@
 
   "                              and the next download waiting in queue gets\n" \
 
   "                              and the next download waiting in queue gets\n" \
 
   "                              started. But be aware that seeding item is still\n" \
 
   "                              started. But be aware that seeding item is still\n" \
 
   "                              recognized as active download in RPC method.")
 
   "                              recognized as active download in RPC method.")
 
+#define TEXT_MIN_TLS_VERSION                                            \
 
+  _(" --min-tls-version=VERSION  Specify minimum SSL/TLS version to enable.")

+ 17 - 0
src/util.cc
查看文件 

@@ -2009,6 +2009,23 @@ bool strless(const char* a, const char* b)
 
   return strcmp(a, b) < 0;
 
   return strcmp(a, b) < 0;
 
 }
 
 }
 
 
 
+TLSVersion toTLSVersion(const std::string& ver)
 
+{
 
+  if(ver == A2_V_SSL3) {
 
+    return TLS_PROTO_SSL3;
 
+  }
 
+  if(ver == A2_V_TLS10) {
 
+    return TLS_PROTO_TLS10;
 
+  }
 
+  if(ver == A2_V_TLS11) {
 
+    return TLS_PROTO_TLS11;
 
+  }
 
+  if(ver == A2_V_TLS12) {
 
+    return TLS_PROTO_TLS12;
 
+  }
 
+  return TLS_PROTO_TLS10;
 
+}
 
+
 
 } // namespace util
 
 } // namespace util
 
 
 
 } // namespace aria2
 
 } // namespace aria2

+ 6 - 0
src/util.h
查看文件 

@@ -64,6 +64,10 @@
 
 #include "fmt.h"
 
 #include "fmt.h"
 
 #include "prefs.h"
 
 #include "prefs.h"
 
 
 
+#ifdef ENABLE_SSL
 
+#include "TLSContext.h"
 
+#endif // ENABLE_SSL
 
+
 
 #ifndef HAVE_SIGACTION
 
 #ifndef HAVE_SIGACTION
 
 #  define sigset_t int
 
 #  define sigset_t int
 
 #endif // HAVE_SIGACTION
 
 #endif // HAVE_SIGACTION
 
@@ -880,6 +884,8 @@ bool noProxyDomainMatch(const std::string& hostname, const std::string& domain);
 
 // Checks hostname matches pattern as described in RFC 6125.
 
 // Checks hostname matches pattern as described in RFC 6125.
 
 bool tlsHostnameMatch(const std::string& pattern, const std::string& hostname);
 
 bool tlsHostnameMatch(const std::string& pattern, const std::string& hostname);
 
 
 
+TLSVersion toTLSVersion(const std::string& ver);
 
+
 
 } // namespace util
 
 } // namespace util
 
 
 
 } // namespace aria2
 
 } // namespace aria2