Re: [PATCH v2] TLS False Start support for NSS
Date: Mon, 09 Mar 2015 12:05:32 +0100
On Saturday 07 March 2015 14:38:51 Alessandro Ghedini wrote:
> I updated the TLS False Start patches I sent a while back to include the
> various checks as previously discussed.
Thank you for the patches!
> My implementation now matches the
> behaviour of firefox (in fact it's in part the same code).
You are saying that your implementation is based on some already existing
implementation. Could you please provide a reference to the original code?
I have been trying to search it myself and found the following one:
It does not seem to implement it in the exact same way as your patch. For
instance, your patch does not check the negotiated TLS version, does it?
I would also love to see some comments for the checks implemented in
CanFalseStartCallback(), so that we can review them later on. It is good
that libcurl behaves similar as Firefox now, but it may change at some point
and we will need to reflect that in libcurl. The out-of-protocol downgrade
to SSLv3 was also originally taken from the implementation in Firefox and we
were dropping it from libcurl half a year ago because it turned out to be
> I've also looked at other TLS implementations, but besides SecureTransport
> (the OS X thing) I could not find any that support this. There is a patch
> for OpenSSL floating around though  which, AFAICT, is available in the
> Android OpenSSL build and in BoringSSL, but I'm not sure if it makes sense
> to implement support for it in curl just yet (I'm gonna try to see if the
> OpenSSL developers want to merge it).
> So anyway, see  for a way to test this. Note though that the test doesn't
> always work (e.g. with https://google.com) because, I suspect, the server
> completes the handshake before curl actually starts sending any data to it
> (I may be wrong though). The connection still works fine, so no problems
> /0002-handshake_cutthrough.patch 
List admin: http://cool.haxx.se/list/listinfo/curl-library
Received on 2015-03-09