cURL / Mailing Lists / curl-library / Single Mail


Re: [PATCH] possibly dangerous warnigns in lib/nss.c

From: Kamil Dudka <>
Date: Thu, 8 Oct 2009 18:08:12 +0200

On Thu October 8 2009 15:20:49 Rob Crittenden wrote:
> I think we'll have to ask the NSS developers. I've got an e-mail to some
> guys internally.

Thanks! In the meantime I've conducted some observation:

Just look at nsSSLIOLayerSetOptions() from
security/manager/ssl/src/nsNSSIOLayer.cpp (nowadays part of xulrunner):

  if (nsSSLIOLayerHelpers::isKnownAsIntolerantSite(key)) {
    if (SECSuccess != SSL_OptionSet(fd, SSL_ENABLE_TLS, PR_FALSE))
      return NS_ERROR_FAILURE;


    // We assume that protocols that use the STARTTLS mechanism should support
    // modern hellos. For other protocols, if we suspect a site
    // does not support TLS, let's also use V2 hellos.
    // One advantage of this approach, if a site only supports the older
    // hellos, it is more likely that we will get a reasonable error code
    // on our single retry attempt.

    if (!forSTARTTLS &&
        SECSuccess != SSL_OptionSet(fd, SSL_V2_COMPATIBLE_HELLO, PR_TRUE))
      return NS_ERROR_FAILURE;

This method looks also relevant enough:

// Call this function to report a site that is possibly TLS intolerant.
// This function will return true, if the given socket is currently using TLS.
PRBool nsSSLIOLayerHelpers::rememberPossibleTLSProblemSite(...)

I don't want to copy/paste whole the part of xulrunner into libcurl. Any idea
how to make this working in an easy way?

List admin:
Received on 2009-10-08