cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Cannot negotiate TLS/1.1 or 1.2 with nss.

From: James Cloos <cloos+cool_haxx-curl-library_at_jhcloos.com>
Date: Tue, 19 Nov 2013 10:13:39 -0500

[Wierd. The copy in my archives has the full body; I do not know why
there is no body on the mailing list. Here it is again. -JimC]

Attempts to post this at https://sourceforge.net/p/curl/bugs/new/
failed silently, so I'm writing here.

Testing shows that when linked to nss, even a modern version of nss
which can do TLS/1.1 and TLS/1.2, curl is unable to negotiate anything
more recent that TLS/1.0.

1.1 and 1.2 work fine with openssl and gnutls, and with other nss-using
apps.

I'm not sure whether ad34a2d5c87 impacted this.

I tested with nss-3.15.3.

Note that this is not about trying to limit which tls version curl uses,
but rather about negotiating the latest version the server supports and
about negotiating with servers which only support 1.1 and/or 1.2.

Feel free to use https://jhcloos.com/tls.php to test first of those two
cases, but I currently lack a public TLS/1.2-only test-case to offer.

-JimC

-- 
James Cloos <cloos_at_jhcloos.com>         OpenPGP: 1024D/ED7DAEA6
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2013-11-19