curl-library
Re: Cannot negotiate TLS/1.1 or 1.2 with nss.
Date: Tue, 19 Nov 2013 16:33:44 +0100
On Tuesday 19 November 2013 16:13:39 James Cloos wrote:
> [Wierd. The copy in my archives has the full body; I do not know why
> there is no body on the mailing list. Here it is again. -JimC]
>
> Attempts to post this at https://sourceforge.net/p/curl/bugs/new/
> failed silently, so I'm writing here.
>
> Testing shows that when linked to nss, even a modern version of nss
> which can do TLS/1.1 and TLS/1.2, curl is unable to negotiate anything
> more recent that TLS/1.0.
>
> 1.1 and 1.2 work fine with openssl and gnutls, and with other nss-using
> apps.
>
> I'm not sure whether ad34a2d5c87 impacted this.
>
> I tested with nss-3.15.3.
>
> Note that this is not about trying to limit which tls version curl uses,
> but rather about negotiating the latest version the server supports and
> about negotiating with servers which only support 1.1 and/or 1.2.
>
> Feel free to use https://jhcloos.com/tls.php to test first of those two
> cases, but I currently lack a public TLS/1.2-only test-case to offer.
This is a known issue:
https://bugzilla.redhat.com/994599
NSS does not enable TLS >= 1.0 by default. We need to patch libcurl to enable
it explicitly. I will have a look at that.
Kamil
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-11-19