curl-library
Re: Cannot negotiate TLS/1.1 or 1.2 with nss.
Date: Tue, 19 Nov 2013 16:36:31 +0100
On Tuesday 19 November 2013 16:33:44 Kamil Dudka wrote:
> On Tuesday 19 November 2013 16:13:39 James Cloos wrote:
> > [Wierd. The copy in my archives has the full body; I do not know why
> > there is no body on the mailing list. Here it is again. -JimC]
> >
> > Attempts to post this at https://sourceforge.net/p/curl/bugs/new/
> > failed silently, so I'm writing here.
> >
> > Testing shows that when linked to nss, even a modern version of nss
> > which can do TLS/1.1 and TLS/1.2, curl is unable to negotiate anything
> > more recent that TLS/1.0.
> >
> > 1.1 and 1.2 work fine with openssl and gnutls, and with other nss-using
> > apps.
> >
> > I'm not sure whether ad34a2d5c87 impacted this.
> >
> > I tested with nss-3.15.3.
> >
> > Note that this is not about trying to limit which tls version curl uses,
> > but rather about negotiating the latest version the server supports and
> > about negotiating with servers which only support 1.1 and/or 1.2.
> >
> > Feel free to use https://jhcloos.com/tls.php to test first of those two
> > cases, but I currently lack a public TLS/1.2-only test-case to offer.
>
> This is a known issue:
>
> https://bugzilla.redhat.com/994599
>
> NSS does not enable TLS >= 1.0 by default. We need to patch libcurl to
> enable it explicitly. I will have a look at that.
I meant TLS > 1.0, of course.
> Kamil
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-11-19