cURL / Mailing Lists / curl-library / Single Mail


Re: Cannot negotiate TLS/1.1 or 1.2 with nss.

From: Kamil Dudka <>
Date: Tue, 19 Nov 2013 16:33:44 +0100

On Tuesday 19 November 2013 16:13:39 James Cloos wrote:
> [Wierd. The copy in my archives has the full body; I do not know why
> there is no body on the mailing list. Here it is again. -JimC]
> Attempts to post this at
> failed silently, so I'm writing here.
> Testing shows that when linked to nss, even a modern version of nss
> which can do TLS/1.1 and TLS/1.2, curl is unable to negotiate anything
> more recent that TLS/1.0.
> 1.1 and 1.2 work fine with openssl and gnutls, and with other nss-using
> apps.
> I'm not sure whether ad34a2d5c87 impacted this.
> I tested with nss-3.15.3.
> Note that this is not about trying to limit which tls version curl uses,
> but rather about negotiating the latest version the server supports and
> about negotiating with servers which only support 1.1 and/or 1.2.
> Feel free to use to test first of those two
> cases, but I currently lack a public TLS/1.2-only test-case to offer.

This is a known issue:

NSS does not enable TLS >= 1.0 by default. We need to patch libcurl to enable
it explicitly. I will have a look at that.

List admin:
Received on 2013-11-19