cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH] possibly dangerous warnigns in lib/nss.c

From: Kamil Dudka <kdudka_at_redhat.com>
Date: Wed, 7 Oct 2009 23:17:42 +0200

On Wednesday 07 of October 2009 23:01:13 Guenter wrote:
> I believe the lines around the code you point to was modified for SNI
> (see RFC 4366, "Transport Layer Security (TLS) Extensions"); check cvs
> logs ...

Thanks for the hint! The log of r1.16 talks about disabling of SSLv2.

> diff -u -p -r1.15 -r1.16
> --- lib/nss.c 15 Jan 2008 23:19:02 -0000 1.15
> +++ lib/nss.c 19 Feb 2008 23:10:17 -0000 1.16
> @@ -873,7 +873,7 @@ CURLcode Curl_nss_connect(struct connect
> switch (data->set.ssl.version) {
> default:
> case CURL_SSLVERSION_DEFAULT:
> - ssl2 = ssl3 = tlsv1 = PR_TRUE;
> + ssl3 = tlsv1 = PR_TRUE;

I am fine with this hunk. It does IMO the right thing.

> break;
> case CURL_SSLVERSION_TLSv1:
> tlsv1 = PR_TRUE;
> @@ -893,6 +893,9 @@ CURLcode Curl_nss_connect(struct connect
> if(SSL_OptionSet(model, SSL_ENABLE_TLS, tlsv1) != SECSuccess)
> goto error;
>
> + if(SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, ssl2) != SECSuccess)
> + goto error;
> +
> if(data->set.ssl.cipher_list) {
> if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) {
> curlerr = CURLE_SSL_CIPHER;

I didn't find any clarification for this ^. Do we have any counterexample
of what will be broken if I apply the patch proposed at rhbz?

Kamil
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2009-10-07