cURL / Mailing Lists / curl-library / Single Mail


Re: [PATCH] possibly dangerous warnigns in lib/nss.c

From: Kamil Dudka <>
Date: Fri, 9 Oct 2009 21:04:09 +0200

On Friday 09 of October 2009 19:41:42 Rob Crittenden wrote:
> Kamil Dudka wrote:
> > // We assume that protocols that use the STARTTLS mechanism should
> > support // modern hellos. For other protocols, if we suspect a site
> > // does not support TLS, let's also use V2 hellos.
> > // One advantage of this approach, if a site only supports the older
> > // hellos, it is more likely that we will get a reasonable error code
> > // on our single retry attempt.

IMO this is the important suggestion from NSS developers.

> An NSS developer suggested that if SSL2 is disabled then there is no
> point in setting the SSLv2 hello, so we could just enable that if SSL2
> is enabled.

SSLv2 hello is enabled by default. We disable it in libcurl and therefor can't
connect some sites which we could connect with the default setup. I admit the
proposed patch is too simple to solve all possibilities.

Another approach is that from Firefox. We try to connect with TLS enabled. If
the connection fails with certain errors (-12226, -12229, ...), we try to
connect once again with TLS disabled. I am not sure if libcurl design is
ready for such solution.

But we need to solve the problem. Users expect from libcurl to connect all
sites they can connect with Firefox, no matter how broken the servers are.

List admin:
Received on 2009-10-09