curl-library
Re: [Patch 1/3 v2] nss: map CURL_SSLVERSION_DEFAULT to NSS default
Date: Tue, 1 Nov 2016 16:11:59 -0400
On 11/1/2016 11:42 AM, Kamil Dudka wrote:
> ... but make sure we use at least TLSv1.0 according to libcurl API
> ---
> lib/vtls/nss.c | 14 +++++++++++++-
> 1 file changed, 13 insertions(+), 1 deletion(-)
>
> diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
> index dff1575..5abb574 100644
> --- a/lib/vtls/nss.c
> +++ b/lib/vtls/nss.c
> @@ -1489,10 +1489,18 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
> struct Curl_easy *data)
> {
> switch(data->set.ssl.version) {
> - default:
> case CURL_SSLVERSION_DEFAULT:
> + /* map CURL_SSLVERSION_DEFAULT to NSS default */
> + if(SSL_VersionRangeGetDefault(ssl_variant_stream, sslver) != SECSuccess)
> + return CURLE_SSL_CONNECT_ERROR;
> + /* ... but make sure we use at least TLSv1.0 according to libcurl API */
> + if(sslver->min < SSL_LIBRARY_VERSION_TLS_1_0)
> + sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
> + return CURLE_OK;
> +
> case CURL_SSLVERSION_TLSv1:
> sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
> + /* TODO: set sslver->max to SSL_LIBRARY_VERSION_TLS_1_3 once stable */
> #ifdef SSL_LIBRARY_VERSION_TLS_1_2
> sslver->max = SSL_LIBRARY_VERSION_TLS_1_2;
> #elif defined SSL_LIBRARY_VERSION_TLS_1_1
> @@ -1532,6 +1540,10 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
> return CURLE_OK;
> #endif
> break;
> +
> + default:
> + /* unsupported SSL/TLS version */
> + break;
> }
>
> failf(data, "TLS minor version cannot be set");
This looks better but since that api function is only available since
3.14 apparently [1] does libcurl still build with versions older than
that and if so would it be acceptable to fallback on the old way, like this
case CURL_SSLVERSION_DEFAULT:
#if NSSVERNUM >= 0x030E00 /* >= 3.14.0 */
/* map CURL_SSLVERSION_DEFAULT to NSS default */
if(SSL_VersionRangeGetDefault(ssl_variant_stream, sslver) !=
SECSuccess)
return CURLE_SSL_CONNECT_ERROR;
/* ... but make sure we use at least TLSv1.0 according to libcurl
API */
if(sslver->min < SSL_LIBRARY_VERSION_TLS_1_0)
sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
return CURLE_OK;
#endif
case CURL_SSLVERSION_TLSv1:
[1]:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.14_release_notes
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-11-01