Merge pull request #34 from negrutiu/feature/GH-33-weak-crypto

Feature/gh 33 weak crypto
negrutiu · Aug 31, 2024 · 782f9c7 · 782f9c7
2 parents 21a70bc + 2386538
commit 782f9c7
Show file tree

Hide file tree

Showing 6 changed files with 282 additions and 93 deletions.
diff --git a/src/nscurl/NScurl.readme.md b/src/nscurl/NScurl.readme.md
@@ -381,7 +381,7 @@ Parameter      | Details
 /CASTORE true|false
 ```
 Specify that Windows' native CA store should be used for SSL certificate validation.  
-This option is __enabled__ by default.  
+This option is `true` by default.  
 When enabled, the native CA store is used __in addition__ to the other trusted certificate sources ([/CACERT](#cacert) and [/CERT](#cert))
 
 ### /CERT
@@ -405,12 +405,13 @@ Pop $0
 
 ```nsis
 ; Trust self-signed certificate
+; NOTE: This cert might quickly become deprecated. Make sure you use the latest for testing
 !define BADSSL_SELFSIGNED_CRT \
 "-----BEGIN CERTIFICATE-----$\n\
-MIIDeTCCAmGgAwIBAgIJANuSS2L+9oTlMA0GCSqGSIb3DQEBCwUAMGIxCzAJBgNV$\n\
+MIIDeTCCAmGgAwIBAgIJAPhNZrCAQp0/MA0GCSqGSIb3DQEBCwUAMGIxCzAJBgNV$\n\
 BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp$\n\
 c2NvMQ8wDQYDVQQKDAZCYWRTU0wxFTATBgNVBAMMDCouYmFkc3NsLmNvbTAeFw0y$\n\
-NDA1MTcxNzU5MzNaFw0yNjA1MTcxNzU5MzNaMGIxCzAJBgNVBAYTAlVTMRMwEQYD$\n\
+NDA4MjAxNjI0NDVaFw0yNjA4MjAxNjI0NDVaMGIxCzAJBgNVBAYTAlVTMRMwEQYD$\n\
 VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ8wDQYDVQQK$\n\
 DAZCYWRTU0wxFTATBgNVBAMMDCouYmFkc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEB$\n\
 BQADggEPADCCAQoCggEBAMIE7PiM7gTCs9hQ1XBYzJMY61yoaEmwIrX5lZ6xKyx2$\n\
@@ -420,18 +421,34 @@ xPxTuW1CrbV8/q71FdIzSOciccfCFHpsKOo3St/qbLVytH5aohbcabFXRNsKEqve$\n\
 ww9HdFxBIuGa+RuT5q0iBikusbpJHAwnnqP7i/dAcgCskgjZjFeEU4EFy+b+a1SY$\n\
 QCeFxxC7c3DvaRhBB0VVfPlkPz0sw6l865MaTIbRyoUCAwEAAaMyMDAwCQYDVR0T$\n\
 BAIwADAjBgNVHREEHDAaggwqLmJhZHNzbC5jb22CCmJhZHNzbC5jb20wDQYJKoZI$\n\
-hvcNAQELBQADggEBAH1tiJTqI9nW4Vr3q6joNV7+hNKS2OtgqBxQhMVWWWr4mRDf$\n\
-ayfr4eAJkiHv8/Fvb6WqbGmzClCVNVOrfTzHeLsfROLLmlkYqXSST76XryQR6hyt$\n\
-4qWqGd4M+MUNf7ty3zcVF0Yt2vqHzp4y8m+mE5nSqRarAGvDNJv+I6e4Edw19u1j$\n\
-ddjiqyutdMsJkgvfNvSLQA8u7SAVjnhnoC6n2jm2wdFbrB+9rnrGje+Q8r1ERFyj$\n\
-SG26SdQCiaG5QBCuDhrtLSR1N90URYCY0H6Z57sWcTKEusb95Pz6cBTLGuiNDKJq$\n\
-juBzebaanR+LTh++Bleb9I0HxFFCTwlQhxo/bfY=$\n\
+hvcNAQELBQADggEBAF9F2x4tuIATEa5jZY86nEaa3Py2Rd0tjNywlryS1TKXWIqu$\n\
+yim+0HpNU/R6cpkN1MZ1iN7dUKTtryLJIAXgaZC1TC6sRyuOMzV/rDHShT3WY0MW$\n\
++/sebaJZ4kkLUzQ1k5/FW/AmZ3su739vLQbcEEfn7UUK5cdRgcqEHA4SePhq5zQX$\n\
+5/FSILsStpu+9hZ6OGxVdLVWKOM5GZ8LCXw3cJCNbJvW1APCz+3bP3bGBANeCUJp$\n\
+gt0b83u4YBs1t66ZV/rcDQiyQzjAY6th2UfRggZxeIRDO7qbRa+M0pVW3qugMytf$\n\
+bPw02aMbgH96rX61u0sd1M0slJHFEeqquqbtPcU=$\n\
 -----END CERTIFICATE-----"
 
 NScurl::http GET "https://self-signed.badssl.com" "${file}" /CERT '${BADSSL_SELFSIGNED_CRT}' /END
 Pop $0
 ```
 
+### /SECURITY
+```
+/SECURITY weak|strong
+```
+Configure the security level for the current transfer.  
+The default security is `weak` to favor compatibility with legacy servers.
+
+Security level `weak`:
+- call [SSL_CTX_set_options(..., SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);](https://docs.openssl.org/3.1/man3/SSL_CTX_set_options/#notes) to enable unsafe legacy renegociation
+- call [SSL_CTX_set_security_level( 0 )](https://docs.openssl.org/1.1.1/man3/SSL_CTX_set_security_level/#default-callback-behaviour) to enable weak cryptographic algorithms
+- call [curl_easy_setopt(..., CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);](https://curl.se/libcurl/c/CURLOPT_SSLVERSION.html) to enable `SSL3`, `TLS 1.0` and `TLS 1.1` protocols
+
+Security level `strong`:
+- use the default `openssl` crypto algorithms and standards that are considered secure
+
+
 ### /DEPEND
 ```
 /DEPEND id

diff --git a/src/nscurl/curl.c b/src/nscurl/curl.c
@@ -456,6 +456,16 @@ ULONG CurlParseRequestParam( _In_ ULONG iParamIndex, _In_ LPTSTR pszParam, _In_
 			if (popstring( pszParam ) == NOERROR)
 				pReq->pszTlsPass = MyStrDup( eT2A, pszParam );
 		}
+	} else if (lstrcmpi( pszParam, _T( "/SECURITY" ) ) == 0) {
+		if (popstring( pszParam ) == NOERROR) {
+			if (lstrcmpi(pszParam, _T("weak")) == 0) {
+				pReq->bStrongSecurity = FALSE;
+			} else if (lstrcmpi(pszParam, _T("strong")) == 0) {
+				pReq->bStrongSecurity = TRUE;
+			} else {
+				err = ERROR_INVALID_PARAMETER;
+			}
+		}
 	} else if (lstrcmpi( pszParam, _T( "/CACERT" ) ) == 0) {
 		if (popstring( pszParam ) == NOERROR) {						/// pszParam may be empty ("")
 			if (lstrcmpi(pszParam, _T("builtin")) == 0) {
@@ -639,16 +649,22 @@ CURLcode CurlSSLCallback( CURL *curl, void *ssl_ctx, void * userdata)
 		SSL_CTX_set_options(sslctx, flags);
 	}
 
-    // Add `/CERT pem` certificates to the SSL_CTX store
+	// https://docs.openssl.org/1.1.1/man3/SSL_CTX_set_security_level/#default-callback-behaviour
+	if (!req->bStrongSecurity)
+	{
+		SSL_CTX_set_security_level(sslctx, 0);
+	}
+
+	// Add `/CERT pem` certificates to the SSL_CTX store
 	const struct curl_slist* pem;
 	for (pem = req->pPemList; pem; pem = pem->next)
 	{
-	    BIO* bio = BIO_new_mem_buf(pem->data, -1);
+		BIO* bio = BIO_new_mem_buf(pem->data, -1);
 		if (bio)
 		{
 			X509_STORE* store = SSL_CTX_get_cert_store(sslctx);
 
-		    // read certificates one by one
+			// read certificates one by one
 			X509* cert;
 			while ((cert = PEM_read_bio_X509(bio, NULL, NULL, NULL)) != NULL)
 			{
@@ -1140,9 +1156,16 @@ void CurlTransfer( _In_ PCURL_REQUEST pReq )
 				curl_easy_setopt( curl, CURLOPT_SSL_VERIFYHOST, FALSE );
 			}
 
-			// GH-31: allow "unsafe legacy renegotiation"
-			// Symptomatic URL: https://publicinfobanjir.water.gov.my/hujan/data-hujan/?state=PLS&lang=en
-			pReq->opensslSetFlags |= SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
+			// Security level
+			if (!pReq->bStrongSecurity)
+			{
+				// GH-31: allow "unsafe legacy renegotiation"
+				// Symptomatic URL: https://publicinfobanjir.water.gov.my/hujan/data-hujan/?state=PLS&lang=en
+				pReq->opensslSetFlags |= SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
+
+				// Allow TLS 1.0, TLS 1.1
+				curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_0);
+			}
 
 			// SSL callback
 			curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, CurlSSLCallback);
@@ -1355,7 +1378,7 @@ void CurlTransfer( _In_ PCURL_REQUEST pReq )
 						break;		/// Canceled
 					if (pReq->Error.iHttp > 0 && (pReq->Error.iHttp < 200 || pReq->Error.iHttp >= 300))
 						break;		/// HTTP error
-					if (pReq->Error.iCurl == CURLE_PEER_FAILED_VERIFICATION || pReq->Error.iX509 != X509_V_OK)
+					if (pReq->Error.iCurl == CURLE_SSL_CONNECT_ERROR || pReq->Error.iCurl == CURLE_PEER_FAILED_VERIFICATION || pReq->Error.iX509 != X509_V_OK)
 						break;		/// SSL error
 
 					// Cancel?

diff --git a/src/nscurl/curl.h b/src/nscurl/curl.h
@@ -40,6 +40,7 @@ typedef struct _CURL_REQUEST {
 	BOOLEAN		bMarkOfTheWeb : 1;
 	BOOLEAN     bHttp11       : 1;
 	BOOLEAN     bEncoding     : 1;
+	BOOLEAN     bStrongSecurity : 1;	/// Use default openssl security level. By default, we use SSL_CTX_set_security_level(0) and SSL3 as minimum protocol
 	BOOLEAN     bCastore      : 1;      /// Use native CA store (CURLSSLOPT_NATIVE_CA)
 	LPCSTR		pszCacert;				/// can be CACERT_BUILTIN(NULL), CACERT_NONE, or a file path
 	struct curl_slist *pCertList;		/// List of sha1 certificate thumprints. can be NULL

diff --git a/tests/NScurl-Debug.nsi b/tests/NScurl-Debug.nsi
@@ -669,10 +669,10 @@ SectionGroup /e "Tests"
 ; Valid to: ‎Sunday, ‎August ‎9, ‎2026 7:09:21 PM
 !define BADSSL_SELFSIGNED_CRT \
 "-----BEGIN CERTIFICATE-----$\n\
-MIIDeTCCAmGgAwIBAgIJAPEMFZO/+ZHXMA0GCSqGSIb3DQEBCwUAMGIxCzAJBgNV$\n\
+MIIDeTCCAmGgAwIBAgIJAPhNZrCAQp0/MA0GCSqGSIb3DQEBCwUAMGIxCzAJBgNV$\n\
 BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp$\n\
 c2NvMQ8wDQYDVQQKDAZCYWRTU0wxFTATBgNVBAMMDCouYmFkc3NsLmNvbTAeFw0y$\n\
-NDA4MDkxNjA5MjFaFw0yNjA4MDkxNjA5MjFaMGIxCzAJBgNVBAYTAlVTMRMwEQYD$\n\
+NDA4MjAxNjI0NDVaFw0yNjA4MjAxNjI0NDVaMGIxCzAJBgNVBAYTAlVTMRMwEQYD$\n\
 VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ8wDQYDVQQK$\n\
 DAZCYWRTU0wxFTATBgNVBAMMDCouYmFkc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEB$\n\
 BQADggEPADCCAQoCggEBAMIE7PiM7gTCs9hQ1XBYzJMY61yoaEmwIrX5lZ6xKyx2$\n\
@@ -682,15 +682,15 @@ xPxTuW1CrbV8/q71FdIzSOciccfCFHpsKOo3St/qbLVytH5aohbcabFXRNsKEqve$\n\
 ww9HdFxBIuGa+RuT5q0iBikusbpJHAwnnqP7i/dAcgCskgjZjFeEU4EFy+b+a1SY$\n\
 QCeFxxC7c3DvaRhBB0VVfPlkPz0sw6l865MaTIbRyoUCAwEAAaMyMDAwCQYDVR0T$\n\
 BAIwADAjBgNVHREEHDAaggwqLmJhZHNzbC5jb22CCmJhZHNzbC5jb20wDQYJKoZI$\n\
-hvcNAQELBQADggEBADwahI1HUmazX3I3p0c53AZ5z4BO+Ezb4+bBph3MX8xR+gZr$\n\
-bQPJ/N47wWHR4EdZt9/zLZA6n2tU6GPVieC/WdoSSaU7XtdzFxts+Crz0K2bXohR$\n\
-KkobUTN1fHkJyZHPTKmUybI+CTEaZOR7j7epU9NOVWYT2p0sK9LavgtR3O852Oaw$\n\
-QdWrSO7SmmaE6Yh3k1b34KfiPvOQFkScJop0Kr8Vz4jWHh6ahdmbsJOoFdzj+1gM$\n\
-/1UbOcwLBARrY7gZIJZbejqpAiein6bCPHlKZ4w8iwXu9m2I3GRRscydT2KXuPv9$\n\
-9WnX6thCEmtyZ+v7Rbs7W7Lh1SiktlxhP/GL56k=$\n\
+hvcNAQELBQADggEBAF9F2x4tuIATEa5jZY86nEaa3Py2Rd0tjNywlryS1TKXWIqu$\n\
+yim+0HpNU/R6cpkN1MZ1iN7dUKTtryLJIAXgaZC1TC6sRyuOMzV/rDHShT3WY0MW$\n\
++/sebaJZ4kkLUzQ1k5/FW/AmZ3su739vLQbcEEfn7UUK5cdRgcqEHA4SePhq5zQX$\n\
+5/FSILsStpu+9hZ6OGxVdLVWKOM5GZ8LCXw3cJCNbJvW1APCz+3bP3bGBANeCUJp$\n\
+gt0b83u4YBs1t66ZV/rcDQiyQzjAY6th2UfRggZxeIRDO7qbRa+M0pVW3qugMytf$\n\
+bPw02aMbgH96rX61u0sd1M0slJHFEeqquqbtPcU=$\n\
 -----END CERTIFICATE-----"
 
-!define BADSSL_SELFSIGNED_THUMBPRINT 'a66bca8a797de3e4df6c4dd86f639d6f1accd893'
+!define BADSSL_SELFSIGNED_THUMBPRINT '8577cec7988ad89d72400f5933988221984e3009'
 
 
 Var /global testCacertName
@@ -699,14 +699,16 @@ Var /global testCastoreName
 Var /global testCastoreValue
 Var /global testCertName
 Var /global testCertValue
+Var /global testSecurityName
+Var /global testSecurityValue
 
-!macro CERT_TEST url file cacert castore cert errortype errorcode
+!macro TRANSFER_TEST url file cacert castore cert security errortype errorcode
     StrCpy $R0 '${file}'
 
     ${If} `${cacert}` == ""
         StrCpy $testCacertName ""
         StrCpy $testCacertValue ""
-        StrCpy $R0 '$R0_default'
+        StrCpy $R0 '$R0_defcacert'
     ${ElseIf} `${cacert}` == "none"
     ${OrIf} `${cacert}` == "builtin"
         StrCpy $testCacertName "/CACERT"
@@ -721,7 +723,7 @@ Var /global testCertValue
     ${If} `${castore}` == ""
         StrCpy $testCastoreName ""
         StrCpy $testCastoreValue ""
-        StrCpy $R0 '$R0_default'
+        StrCpy $R0 '$R0_defcastore'
     ${Else}
         StrCpy $testCastoreName "/CASTORE"
         StrCpy $testCastoreValue `${castore}`
@@ -731,14 +733,24 @@ Var /global testCertValue
     ${If} `${cert}` == ""
         StrCpy $testCertName ""
         StrCpy $testCertValue ""
-        StrCpy $R0 '$R0_nocert'
+        StrCpy $R0 '$R0_defcert'
     ${Else}
         StrCpy $testCertName "/CERT"
         StrCpy $testCertValue `${cert}`
         StrCpy $0 `${cert}` 8
         StrCpy $R0 '$R0_$0'
     ${EndIf}
 
+    ${If} `${security}` == ""
+        StrCpy $testSecurityName ""
+        StrCpy $testSecurityValue ""
+        StrCpy $R0 '$R0_defsecurity'
+    ${Else}
+        StrCpy $testSecurityName "/SECURITY"
+        StrCpy $testSecurityValue `${security}`
+        StrCpy $R0 '$R0_${security}'
+    ${EndIf}
+
     ${GetFileName} $R0 $0
 	DetailPrint 'NScurl::http "${url}" "$0"'
 
@@ -761,6 +773,8 @@ Var /global testCertValue
     Push $testCastoreName
     Push $testCacertValue
     Push $testCacertName
+    Push $testSecurityValue
+    Push $testSecurityName
 	Push memory
 	Push "${url}"
 	Push "GET"
@@ -808,9 +822,9 @@ Section "Expired certificate"
 
     !define /ifndef X509_V_ERR_CERT_HAS_EXPIRED 10
 
-    !insertmacro CERT_TEST '${LINK}' '${FILE}' '' '' '' x509 ${X509_V_ERR_CERT_HAS_EXPIRED}
-    !insertmacro CERT_TEST '${LINK}' '${FILE}' 'none' 'true' '' x509 ${X509_V_ERR_CERT_HAS_EXPIRED}
-    !insertmacro CERT_TEST '${LINK}' '${FILE}' 'none' 'false' '' http 200       ; SSL validation disabled
+    !insertmacro TRANSFER_TEST '${LINK}' '${FILE}' ''     ''      '' '' x509 ${X509_V_ERR_CERT_HAS_EXPIRED}
+    !insertmacro TRANSFER_TEST '${LINK}' '${FILE}' 'none' 'true'  '' '' x509 ${X509_V_ERR_CERT_HAS_EXPIRED}
+    !insertmacro TRANSFER_TEST '${LINK}' '${FILE}' 'none' 'false' '' '' http 200       ; SSL validation disabled
 
     Push /REMOVE
     Push "test"
@@ -827,9 +841,9 @@ Section "Wrong host"
 
     !define /ifndef CURLE_PEER_FAILED_VERIFICATION 60
 
-    !insertmacro CERT_TEST '${LINK}' '${FILE}' '' '' '' curl ${CURLE_PEER_FAILED_VERIFICATION}
-    !insertmacro CERT_TEST '${LINK}' '${FILE}' 'none' 'true' '' curl ${CURLE_PEER_FAILED_VERIFICATION}
-    !insertmacro CERT_TEST '${LINK}' '${FILE}' 'none' 'false' '' http 200       ; SSL validation disabled
+    !insertmacro TRANSFER_TEST '${LINK}' '${FILE}' ''     ''      '' '' curl ${CURLE_PEER_FAILED_VERIFICATION}
+    !insertmacro TRANSFER_TEST '${LINK}' '${FILE}' 'none' 'true'  '' '' curl ${CURLE_PEER_FAILED_VERIFICATION}
+    !insertmacro TRANSFER_TEST '${LINK}' '${FILE}' 'none' 'false' '' '' http 200       ; SSL validation disabled
 
     Push /REMOVE
     Push "test"
@@ -847,11 +861,11 @@ Section "Untrusted root"
     !define /ifndef UNTRUSTED_CERT '7890C8934D5869B25D2F8D0D646F9A5D7385BA85'
     !define /ifndef X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN 19
 
-    !insertmacro CERT_TEST '${LINK}' '${FILE}' '' '' '' x509 ${X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN}
-    !insertmacro CERT_TEST '${LINK}' '${FILE}' '' '' ${UNTRUSTED_CERT} http 200
+    !insertmacro TRANSFER_TEST '${LINK}' '${FILE}' '' '' ''                '' x509 ${X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN}
+    !insertmacro TRANSFER_TEST '${LINK}' '${FILE}' '' '' ${UNTRUSTED_CERT} '' http 200
 
-    !insertmacro CERT_TEST '${LINK}' '${FILE}' 'none' 'true' '' x509 ${X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN}
-    !insertmacro CERT_TEST '${LINK}' '${FILE}' 'none' 'false' '' http 200       ; SSL validation disabled
+    !insertmacro TRANSFER_TEST '${LINK}' '${FILE}' 'none' 'true'  '' '' x509 ${X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN}
+    !insertmacro TRANSFER_TEST '${LINK}' '${FILE}' 'none' 'false' '' '' http 200       ; SSL validation disabled
 
     Push /REMOVE
     Push "test"
@@ -868,31 +882,95 @@ Section "Self-signed certificate"
 
     !define /ifndef X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT 18
 
-    !insertmacro CERT_TEST '${LINK}' '${FILE}' ''        '' '' x509 ${X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT}
-    !insertmacro CERT_TEST '${LINK}' '${FILE}' 'builtin' '' '' x509 ${X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT}
-    !insertmacro CERT_TEST '${LINK}' '${FILE}' 'none'    '' '' x509 ${X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT}
+    !insertmacro TRANSFER_TEST '${LINK}' '${FILE}' ''        '' '' '' x509 ${X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT}
+    !insertmacro TRANSFER_TEST '${LINK}' '${FILE}' 'builtin' '' '' '' x509 ${X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT}
+    !insertmacro TRANSFER_TEST '${LINK}' '${FILE}' 'none'    '' '' '' x509 ${X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT}
+
+    !insertmacro TRANSFER_TEST '${LINK}' '${FILE}' 'none' 'false' '${BADSSL_SELFSIGNED_CRT}' '' http 200
+
+    !insertmacro TRANSFER_TEST '${LINK}' '${FILE}' 'builtin' 'true'  '' '' x509 ${X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT}
+    !insertmacro TRANSFER_TEST '${LINK}' '${FILE}' 'builtin' 'false' '' '' x509 ${X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT}
+    !insertmacro TRANSFER_TEST '${LINK}' '${FILE}' 'none'    'true'  '' '' x509 ${X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT}
+
+    !insertmacro TRANSFER_TEST '${LINK}' '${FILE}' 'none' 'false' '' '' http 200       ; SSL validation disabled
+
+    !insertmacro TRANSFER_TEST '${LINK}' '${FILE}' 'none' 'true'  '1111111111111111111111111111111111111111' '' x509 ${X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT}
+    !insertmacro TRANSFER_TEST '${LINK}' '${FILE}' 'none' 'false' '1111111111111111111111111111111111111111' '' x509 ${X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT}
+
+    !insertmacro TRANSFER_TEST '${LINK}' '${FILE}' 'none' 'true'  ${BADSSL_SELFSIGNED_THUMBPRINT} '' http 200
+    !insertmacro TRANSFER_TEST '${LINK}' '${FILE}' 'none' 'false' ${BADSSL_SELFSIGNED_THUMBPRINT} '' http 200
+
+    Push /REMOVE
+    Push "test"
+    Push /TAG
+    CallInstDLL $DLL cancel     ; no return
 
-    !insertmacro CERT_TEST '${LINK}' '${FILE}' 'none' 'false' '${BADSSL_SELFSIGNED_CRT}' http 200
+SectionEnd
 
-    !insertmacro CERT_TEST '${LINK}' '${FILE}' 'builtin' 'true'  '' x509 ${X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT}
-    !insertmacro CERT_TEST '${LINK}' '${FILE}' 'builtin' 'false' '' x509 ${X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT}
-    !insertmacro CERT_TEST '${LINK}' '${FILE}' 'none'    'true'  '' x509 ${X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT}
+Section "Unsafe legacy renegociation"
+	SectionIn ${INSTTYPE_MOST}
+	DetailPrint '=====[ ${__SECTION__} ]==============================='
 
-    !insertmacro CERT_TEST '${LINK}' '${FILE}' 'none' 'false' '' http 200       ; SSL validation disabled
+	!define /redef LINK 'https://publicinfobanjir.water.gov.my'
+	!define /redef FILE '$EXEDIR\_test_legacynego'
 
-    !insertmacro CERT_TEST '${LINK}' '${FILE}' 'none' 'true'  '1111111111111111111111111111111111111111' x509 ${X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT}
-    !insertmacro CERT_TEST '${LINK}' '${FILE}' 'none' 'false' '1111111111111111111111111111111111111111' x509 ${X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT}
+    !define /redef CURLE_SSL_CONNECT_ERROR 35
 
-    !insertmacro CERT_TEST '${LINK}' '${FILE}' 'none' 'true'  ${BADSSL_SELFSIGNED_THUMBPRINT} http 200
-    !insertmacro CERT_TEST '${LINK}' '${FILE}' 'none' 'false' ${BADSSL_SELFSIGNED_THUMBPRINT} http 200
+    !insertmacro TRANSFER_TEST '${LINK}' '${FILE}' '' '' '' ''       http 200
+    !insertmacro TRANSFER_TEST '${LINK}' '${FILE}' '' '' '' 'weak'   http 200
+    !insertmacro TRANSFER_TEST '${LINK}' '${FILE}' '' '' '' 'strong' curl ${CURLE_SSL_CONNECT_ERROR} ; OpenSSL/3.3.1: error:0A000152:SSL routines::unsafe legacy renegotiation disabled
 
     Push /REMOVE
     Push "test"
     Push /TAG
     CallInstDLL $DLL cancel     ; no return
+SectionEnd
+
+Section "Weak protocols"
+	SectionIn ${INSTTYPE_MOST}
+	DetailPrint '=====[ ${__SECTION__} ]==============================='
+
+    !define /redef CURLE_SSL_CONNECT_ERROR 35
+
+	!define /redef LINK 'https://tls-v1-0.badssl.com:1010/'
+	!define /redef FILE '$EXEDIR\_test_weaktls10'
+
+    !insertmacro TRANSFER_TEST '${LINK}' '${FILE}' '' '' '' ''       http 200
+    !insertmacro TRANSFER_TEST '${LINK}' '${FILE}' '' '' '' 'weak'   http 200
+    !insertmacro TRANSFER_TEST '${LINK}' '${FILE}' '' '' '' 'strong' curl ${CURLE_SSL_CONNECT_ERROR}    ; OpenSSL/3.3.1: error:0A000102:SSL routines::unsupported protocol
+
+
+	!define /redef LINK 'https://tls-v1-1.badssl.com:1011/'
+	!define /redef FILE '$EXEDIR\_test_weaktls11'
+
+    !insertmacro TRANSFER_TEST '${LINK}' '${FILE}' '' '' '' ''       http 200
+    !insertmacro TRANSFER_TEST '${LINK}' '${FILE}' '' '' '' 'weak'   http 200
+    !insertmacro TRANSFER_TEST '${LINK}' '${FILE}' '' '' '' 'strong' curl ${CURLE_SSL_CONNECT_ERROR}    ; OpenSSL/3.3.1: error:0A000102:SSL routines::unsupported protocol
+
+
+    !define /redef LINK 'https://tls-v1-2.badssl.com:1012/'
+	!define /redef FILE '$EXEDIR\_test_weaktls12'
 
+    !insertmacro TRANSFER_TEST '${LINK}' '${FILE}' '' '' '' ''       http 200
+    !insertmacro TRANSFER_TEST '${LINK}' '${FILE}' '' '' '' 'weak'   http 200
+    !insertmacro TRANSFER_TEST '${LINK}' '${FILE}' '' '' '' 'strong' http 200   ; TLS 1.2 should always work
+
+    ; ----------------------------------------------
+
+    !define /redef LINK 'https://dh2048.badssl.com'
+	!define /redef FILE '$EXEDIR\_test_weakdh2k'
+
+    !insertmacro TRANSFER_TEST '${LINK}' '${FILE}' '' '' '' ''       http 200
+    !insertmacro TRANSFER_TEST '${LINK}' '${FILE}' '' '' '' 'weak'   http 200
+    !insertmacro TRANSFER_TEST '${LINK}' '${FILE}' '' '' '' 'strong' http 200
+
+    Push /REMOVE
+    Push "test"
+    Push /TAG
+    CallInstDLL $DLL cancel     ; no return
 SectionEnd
 
+
 SectionGroupEnd