From 0f0e13c70e2274ef691cf7128d30174f296b211c Mon Sep 17 00:00:00 2001
From: Enno Boland <g@s01.de>
Date: Sat, 16 Sep 2023 08:11:08 +0200
Subject: [PATCH] curl_mapper: enforce at least TLS v1.2

This change sets a default minimum TLS version of 1.2 for all curl
requests. This is stricter than curls default of TLSv1.0.
---
 lib/read/mapper/curl_mapper.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/read/mapper/curl_mapper.c b/lib/read/mapper/curl_mapper.c
index 7c7be5049..e52b4f697 100644
--- a/lib/read/mapper/curl_mapper.c
+++ b/lib/read/mapper/curl_mapper.c
@@ -128,6 +128,8 @@ get_file_time(CURL *handle, uint64_t *file_time) {
 static CURL *
 configure_handle(struct SqshMapper *mapper) {
 	CURL *handle = mapper->data.cl.handle;
+	const long tls_versions =
+			CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_DEFAULT;
 	curl_easy_reset(handle);
 	curl_easy_setopt(handle, CURLOPT_URL, mapper->data.cl.url);
 	curl_easy_setopt(handle, CURLOPT_NOPROGRESS, 1L);
@@ -136,6 +138,7 @@ configure_handle(struct SqshMapper *mapper) {
 	curl_easy_setopt(handle, CURLOPT_FAILONERROR, 1L);
 	curl_easy_setopt(handle, CURLOPT_FILETIME, 1L);
 	curl_easy_setopt(handle, CURLOPT_WRITEFUNCTION, write_data);
+	curl_easy_setopt(handle, CURLOPT_SSLVERSION, tls_versions);
 	return handle;
 }