Kamil Dudka wrote:
> On Thu October 8 2009 15:20:49 Rob Crittenden wrote:
>> I think we'll have to ask the NSS developers. I've got an e-mail to some
>> guys internally.
>
> Thanks! In the meantime I've conducted some observation:
>
> http://permalink.gmane.org/gmane.comp.web.curl.library/25367
>
> Just look at nsSSLIOLayerSetOptions() from
> security/manager/ssl/src/nsNSSIOLayer.cpp (nowadays part of xulrunner):
>
> if (nsSSLIOLayerHelpers::isKnownAsIntolerantSite(key)) {
> if (SECSuccess != SSL_OptionSet(fd, SSL_ENABLE_TLS, PR_FALSE))
> return NS_ERROR_FAILURE;
>
> infoObject->SetAllowTLSIntoleranceTimeout(PR_FALSE);
>
> // We assume that protocols that use the STARTTLS mechanism should support
> // modern hellos. For other protocols, if we suspect a site
> // does not support TLS, let's also use V2 hellos.
> // One advantage of this approach, if a site only supports the older
> // hellos, it is more likely that we will get a reasonable error code
> // on our single retry attempt.
>
> if (!forSTARTTLS &&
> SECSuccess != SSL_OptionSet(fd, SSL_V2_COMPATIBLE_HELLO, PR_TRUE))
> return NS_ERROR_FAILURE;
> }
>
> This method looks also relevant enough:
>
> // Call this function to report a site that is possibly TLS intolerant.
> // This function will return true, if the given socket is currently using TLS.
> PRBool nsSSLIOLayerHelpers::rememberPossibleTLSProblemSite(...)
>
> I don't want to copy/paste whole the part of xulrunner into libcurl. Any idea
> how to make this working in an easy way?
>
> Kamil

An NSS developer suggested that if SSL2 is disabled then there is no
point in setting the SSLv2 hello, so we could just enable that if SSL2
is enabled.

rob

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html