From d8580da636450c2e040cd4ec08016084e74d5b0e Mon Sep 17 00:00:00 2001 From: Jason Cox Date: Sun, 4 Jan 2026 21:59:22 -0800 Subject: [PATCH 1/4] Release 1.0.3 - SSLv3 Support and Enhancements - Added SSLv3 support for security testing with -3 flag - Enhanced SSLv3 patch for OpenSSL 3.x compatibility - Added SSLv3 verification in build script - Updated iCurlHTTP.sh to copy xcframework folders - Fixed libcurl-build.sh SSLv3 patching for curl 8.17.0+ - Improved patch file documentation --- RELEASE.md | 9 ++++ build.sh | 6 ++- curl/libcurl-build.sh | 26 +++++++++- curl/sslv3.7.77.0.patch | 52 +++++++++++++++++++ curl/sslv3.patch | 28 +++++++--- .../include/openssl/configuration.h | 6 --- example/testTV | 1 + 7 files changed, 113 insertions(+), 15 deletions(-) create mode 100644 curl/sslv3.7.77.0.patch create mode 160000 example/testTV diff --git a/RELEASE.md b/RELEASE.md index 690da20..9562524 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -1,5 +1,14 @@ # RELEASE NOTES +## 1.0.3 - SSLv3 Support and Enhancements + +* Added SSLv3 support for security testing with `-3` flag. This allows verification that servers properly reject SSLv3 connections. Includes compatibility updates for OpenSSL 3.x which removed the `SSLv3_client_method()` function. +* Enhanced SSLv3 patch (`sslv3.patch`) to work with OpenSSL 3.x using `SSL_CTX_set_min_proto_version()` and `SSL_CTX_set_max_proto_version()` APIs. +* Added automatic SSLv3 support verification in build script when `-3` flag is used. +* Updated `iCurlHTTP.sh` script to copy all `.xcframework` folders from `archive/latest/xcframework` to support modern Xcode projects. +* Fixed libcurl-build.sh SSLv3 patching for curl 8.17.0+ to properly handle the new command-line argument processing in tool_getparam.c. +* Improved documentation with detailed patch file comments. + ## 1.0.2 - Removal of armv7 * Removal of armv7/armv7s architecture support: Apple officially stopped supporting the creation of binaries for armv7/armv7s architectures with the release of Xcode 14 in June 2022. This means that new installations of Xcode will not be able to compile armv7 targets, which will break the build script. diff --git a/build.sh b/build.sh index 6a0cebb..524285d 100755 --- a/build.sh +++ b/build.sh @@ -24,7 +24,7 @@ BUILD_MACHINE=`uname -m` BUILD_CMD=$* # Script Version -SCRIPT_VERSION="1.0.2" +SCRIPT_VERSION="1.0.3" # Compile Cache - Optional # export CMAKE_CXX_COMPILER_LAUNCHER="ccache" @@ -266,6 +266,10 @@ mkdir -p "$ARCHIVE/bin" mkdir -p "$ARCHIVE/framework" mkdir -p "$ARCHIVE/xcframework" +# Create a symlink of latest build +rm -f archive/latest +ln -s "libcurl-$LIBCURL-openssl-$OPENSSL-nghttp2-$NGHTTP2" archive/latest + # libraries for libcurl, libcrypto and libssl if [ "$BUILDFOR" == "ios" ] || [ "$BUILDFOR" == "all" ]; then # Copy iOS libraries diff --git a/curl/libcurl-build.sh b/curl/libcurl-build.sh index 32e4aa9..f4a3939 100755 --- a/curl/libcurl-build.sh +++ b/curl/libcurl-build.sh @@ -274,6 +274,15 @@ buildMac() if [ $ARCH == ${BUILD_MACHINE} ]; then echo -e "Testing binary for ${BUILD_MACHINE}:" /tmp/curl -V + # if user requested SSLv3, test it + if [ ${FORCE_SSLV3} == 'yes' ]; then + echo -e "Testing SSLv3 support..." + if /tmp/curl --sslv3 -V 2>&1 | grep -q "Ignores instruction to use SSLv3"; then + echo -e "${alert}ERROR: SSLv3 support not enabled in binary${normal}" + else + echo -e "${green}SUCCESS: SSLv3 support is enabled${normal}" + fi + fi fi } @@ -567,6 +576,19 @@ if [ ${FORCE_SSLV3} == 'yes' ]; then # for command line sed -i '' -e 's/warnf(global, \"Ignores instruction to use SSLv3\");/config->ssl_version = CURL_SSLVERSION_SSLv3;/g' "${CURL_VERSION}/src/tool_getparam.c" sed -i '' -e 's/warnf(global, \"Ignores instruction to use SSLv3\\n\");/config->ssl_version = CURL_SSLVERSION_SSLv3;/g' "${CURL_VERSION}/src/tool_getparam.c" + # fix sslv3 argument deprecated flag in tool_getparams.c + sed -i '' '/{"sslv3",/ s/ARG_NONE|ARG_DEPR/ARG_NONE/' "${CURL_VERSION}/src/tool_getparam.c" + # add C_SSLV3 case handler in opt_none() function - use value 99 as marker for SSLv3 + sed -i '' '/case C_IPV4:/i\ + case C_SSLV3: /* --sslv3 */\ + config->ssl_version = 99; /* special marker for SSLv3 */\ + break; +' "${CURL_VERSION}/src/tool_getparam.c" + # patch config2setopts.c to handle SSLv3 marker value before calling tlsversion() + sed -i '' '/my_setopt_SSLVERSION(curl, CURLOPT_SSLVERSION,/,/);/{ +s/my_setopt_SSLVERSION(curl, CURLOPT_SSLVERSION,$/my_setopt_SSLVERSION(curl, CURLOPT_SSLVERSION,/ +s/tlsversion(config->ssl_version,$/config->ssl_version == 99 ? CURL_SSLVERSION_SSLv3 : tlsversion(config->ssl_version,/ +}' "${CURL_VERSION}/src/config2setopts.c" fi fi @@ -655,8 +677,8 @@ if [ $BUILDFOR == "tvos" ] || [ $BUILDFOR == "all" ]; then fi echo -e "${bold}Cleaning up${dim}" -rm -rf /tmp/${CURL_VERSION}-* -rm -rf ${CURL_VERSION} +#rm -rf /tmp/${CURL_VERSION}-* +#rm -rf ${CURL_VERSION} echo -e "${dim}Checking libraries" xcrun -sdk iphoneos lipo -info lib/*.a diff --git a/curl/sslv3.7.77.0.patch b/curl/sslv3.7.77.0.patch new file mode 100644 index 0000000..3cd3ce1 --- /dev/null +++ b/curl/sslv3.7.77.0.patch @@ -0,0 +1,52 @@ +# SSLv3 Support Patch for curl 7.77.0 with OpenSSL 3.x +# NOTE: Use this patch only for curl 7.77.0 +# +# This patch enables SSLv3 protocol support for security testing purposes. +# SSLv3 is an obsolete and insecure protocol (deprecated since 2015) but may +# be needed to verify that servers properly reject SSLv3 connections. +# +# OpenSSL 3.x removed the SSLv3_client_method() function, so this patch uses +# the modern SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version() +# API instead, which is compatible with OpenSSL 3.x. +# +# Changes: +# 1. Remove "No SSLv3 support" error in method selection +# 2. Add CURL_SSLVERSION_SSLv3 case handler that sets protocol version to SSL3 +# 3. Explicitly disable all other SSL/TLS protocol versions +# +# Usage: patch --ignore-whitespace -N lib/vtls/openssl.c sslv3.patch +# +--- openssl.c 2022-05-30 01:05:13.000000000 -0700 ++++ openssl.c.2 2022-05-30 01:25:52.000000000 -0700 +@@ -2709,8 +2709,9 @@ + failf(data, "No SSLv2 support"); + return CURLE_NOT_BUILT_IN; + case CURL_SSLVERSION_SSLv3: +- failf(data, "No SSLv3 support"); +- return CURLE_NOT_BUILT_IN; ++ req_method = SSLv3_client_method(); ++ /* use_sni(FALSE); */ ++ break; + default: + failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION"); + return CURLE_SSL_CONNECT_ERROR; +@@ -2798,9 +2799,18 @@ + + switch(ssl_version) { + case CURL_SSLVERSION_SSLv2: +- case CURL_SSLVERSION_SSLv3: + return CURLE_NOT_BUILT_IN; + ++ case CURL_SSLVERSION_SSLv3: ++ SSL_CTX_set_min_proto_version(backend->ctx, SSL3_VERSION); ++ SSL_CTX_set_max_proto_version(backend->ctx, SSL3_VERSION); ++ ctx_options |= SSL_OP_NO_SSLv2; ++ ctx_options |= SSL_OP_NO_TLSv1; ++ ctx_options |= SSL_OP_NO_TLSv1_1; ++ ctx_options |= SSL_OP_NO_TLSv1_2; ++ ctx_options |= SSL_OP_NO_TLSv1_3; ++ break; ++ + /* "--tlsv" options mean TLS >= version */ + case CURL_SSLVERSION_DEFAULT: + case CURL_SSLVERSION_TLSv1: /* TLS >= version 1.0 */ diff --git a/curl/sslv3.patch b/curl/sslv3.patch index 7bacf4e..ab0785b 100644 --- a/curl/sslv3.patch +++ b/curl/sslv3.patch @@ -1,18 +1,34 @@ +# SSLv3 Support Patch for curl > 7.77.0 with OpenSSL 3.x +# +# This patch enables SSLv3 protocol support for security testing purposes. +# SSLv3 is an obsolete and insecure protocol (deprecated since 2015) but may +# be needed to verify that servers properly reject SSLv3 connections. +# +# OpenSSL 3.x removed the SSLv3_client_method() function, so this patch uses +# the modern SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version() +# API instead, which is compatible with OpenSSL 3.x. +# +# Changes: +# 1. Remove "No SSLv3 support" error in method selection +# 2. Add CURL_SSLVERSION_SSLv3 case handler that sets protocol version to SSL3 +# 3. Explicitly disable all other SSL/TLS protocol versions +# +# Usage: patch --ignore-whitespace -N lib/vtls/openssl.c sslv3.patch +# --- openssl.c 2022-05-30 01:05:13.000000000 -0700 +++ openssl.c.2 2022-05-30 01:25:52.000000000 -0700 -@@ -2709,8 +2709,9 @@ +@@ -2709,8 +2709,8 @@ failf(data, "No SSLv2 support"); return CURLE_NOT_BUILT_IN; case CURL_SSLVERSION_SSLv3: - failf(data, "No SSLv3 support"); - return CURLE_NOT_BUILT_IN; -+ req_method = SSLv3_client_method(); -+ /* use_sni(FALSE); */ ++ /* SSLv3 handled in ossl_connect_step1 via SSL_CTX_set_min/max_proto_version */ + break; default: failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION"); return CURLE_SSL_CONNECT_ERROR; -@@ -2798,9 +2799,18 @@ +@@ -2798,9 +2798,18 @@ switch(ssl_version) { case CURL_SSLVERSION_SSLv2: @@ -20,8 +36,8 @@ return CURLE_NOT_BUILT_IN; + case CURL_SSLVERSION_SSLv3: -+ SSL_CTX_set_min_proto_version(backend->ctx, SSL3_VERSION); -+ SSL_CTX_set_max_proto_version(backend->ctx, SSL3_VERSION); ++ SSL_CTX_set_min_proto_version(octx, SSL3_VERSION); ++ SSL_CTX_set_max_proto_version(octx, SSL3_VERSION); + ctx_options |= SSL_OP_NO_SSLv2; + ctx_options |= SSL_OP_NO_TLSv1; + ctx_options |= SSL_OP_NO_TLSv1_1; diff --git a/example/iOS Test App/include/openssl/configuration.h b/example/iOS Test App/include/openssl/configuration.h index c91bc46..ecb93eb 100644 --- a/example/iOS Test App/include/openssl/configuration.h +++ b/example/iOS Test App/include/openssl/configuration.h @@ -97,12 +97,6 @@ extern "C" { # ifndef OPENSSL_NO_SCTP # define OPENSSL_NO_SCTP # endif -# ifndef OPENSSL_NO_SSL3 -# define OPENSSL_NO_SSL3 -# endif -# ifndef OPENSSL_NO_SSL3_METHOD -# define OPENSSL_NO_SSL3_METHOD -# endif # ifndef OPENSSL_NO_TRACE # define OPENSSL_NO_TRACE # endif diff --git a/example/testTV b/example/testTV new file mode 160000 index 0000000..47b1c9b --- /dev/null +++ b/example/testTV @@ -0,0 +1 @@ +Subproject commit 47b1c9b1c9678d7eec1849f55b8e94f726202f2b From 290940b2c0bdd300397dfdc2984fd18e107ee256 Mon Sep 17 00:00:00 2001 From: Jason Cox Date: Sun, 4 Jan 2026 22:08:35 -0800 Subject: [PATCH 2/4] Cleanup temporary and build files in libcurl-build.sh --- curl/libcurl-build.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/curl/libcurl-build.sh b/curl/libcurl-build.sh index f4a3939..a77c8db 100755 --- a/curl/libcurl-build.sh +++ b/curl/libcurl-build.sh @@ -677,8 +677,8 @@ if [ $BUILDFOR == "tvos" ] || [ $BUILDFOR == "all" ]; then fi echo -e "${bold}Cleaning up${dim}" -#rm -rf /tmp/${CURL_VERSION}-* -#rm -rf ${CURL_VERSION} +rm -rf /tmp/${CURL_VERSION}-* +rm -rf ${CURL_VERSION} echo -e "${dim}Checking libraries" xcrun -sdk iphoneos lipo -info lib/*.a From 9517db3d4aab898d63bd62e697a966769e214c41 Mon Sep 17 00:00:00 2001 From: Jason Cox Date: Sun, 4 Jan 2026 22:42:48 -0800 Subject: [PATCH 3/4] Remove invalid CURLOPT_MAXCONNECTS option and update timing details format in iOSCurlProgressCallback --- example/iOS Test App/iOS Test App/ViewController.m | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/example/iOS Test App/iOS Test App/ViewController.m b/example/iOS Test App/iOS Test App/ViewController.m index 12e5e1c..599ca66 100644 --- a/example/iOS Test App/iOS Test App/ViewController.m +++ b/example/iOS Test App/iOS Test App/ViewController.m @@ -205,7 +205,7 @@ - (IBAction)Get:(id)sender curl_easy_setopt(_curl, CURLOPT_USERAGENT, curl_version()); // set a default user agent curl_easy_setopt(_curl, CURLOPT_VERBOSE, 1L); // turn on verbose curl_easy_setopt(_curl, CURLOPT_TIMEOUT, 60L); // seconds - curl_easy_setopt(_curl, CURLOPT_MAXCONNECTS, 0L); // this should disallow connection sharing + // curl_easy_setopt(_curl, CURLOPT_MAXCONNECTS, 0L); // REMOVED - 0 is invalid in curl 8.x curl_easy_setopt(_curl, CURLOPT_FORBID_REUSE, 1L); // enforce connection to be closed curl_easy_setopt(_curl, CURLOPT_DNS_CACHE_TIMEOUT, 0L); // Disable DNS cache curl_easy_setopt(_curl, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_2_0); // enable HTTP2 Protocol @@ -227,8 +227,8 @@ - (IBAction)Get:(id)sender // PERFORM the Curl theResult = curl_easy_perform(_curl); if (theResult == CURLE_OK) { - long http_code, http_ver; - double total_time, total_size, total_speed, timing_ns, timing_tcp, timing_ssl, timing_fb; + long http_code, http_ver, total_size, total_speed; + double total_time, timing_ns, timing_tcp, timing_ssl, timing_fb; char *redirect_url2 = NULL; curl_easy_getinfo(_curl, CURLINFO_RESPONSE_CODE, &http_code); curl_easy_getinfo(_curl, CURLINFO_TOTAL_TIME, &total_time); @@ -256,7 +256,7 @@ - (IBAction)Get:(id)sender } // timings - _resultText.text = [_resultText.text stringByAppendingFormat:@"\n** Timing Details **\n-- \tName Lookup:\t%0.2fs\n-- \tTCP Connect: \t%0.2fs\n-- \tSSL Handshake: \t%0.2fs\n-- \tFirst Byte: \t\t%0.2fs\n-- \tTotal Download: \t%0.2fs\n-- Size: %0.0f bytes\n-- Speed: %0.0f bytes/sec\n-- Using: %@\n** RESULT CODE: %ld**", + _resultText.text = [_resultText.text stringByAppendingFormat:@"\n** Timing Details **\n-- \tName Lookup:\t%0.2fs\n-- \tTCP Connect: \t%0.2fs\n-- \tSSL Handshake: \t%0.2fs\n-- \tFirst Byte: \t\t%0.2fs\n-- \tTotal Download: \t%0.2fs\n-- Size: %" CURL_FORMAT_CURL_OFF_T " bytes\n-- Speed: %" CURL_FORMAT_CURL_OFF_T " bytes/sec\n-- Using: %@\n** RESULT CODE: %ld**", timing_ns,timing_tcp,timing_ssl,timing_fb, total_time,total_size, total_speed, http_ver_s, http_code]; From 92649ba9808ceb37d9401d6e785fdf9fed74d114 Mon Sep 17 00:00:00 2001 From: Jason Cox Date: Mon, 5 Jan 2026 18:38:59 -0800 Subject: [PATCH 4/4] Remove testTV subproject reference --- example/testTV | 1 - 1 file changed, 1 deletion(-) delete mode 160000 example/testTV diff --git a/example/testTV b/example/testTV deleted file mode 160000 index 47b1c9b..0000000 --- a/example/testTV +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 47b1c9b1c9678d7eec1849f55b8e94f726202f2b