cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH v2] TLS False Start support for NSS

From: Alessandro Ghedini <alessandro_at_ghedini.me>
Date: Mon, 9 Mar 2015 13:37:20 +0100

On lun, mar 09, 2015 at 12:05:32 +0100, Kamil Dudka wrote:
> On Saturday 07 March 2015 14:38:51 Alessandro Ghedini wrote:
> > Hello,
> >
> > I updated the TLS False Start patches I sent a while back to include the
> > various checks as previously discussed.
>
> Thank you for the patches!
>
> > My implementation now matches the
> > behaviour of firefox (in fact it's in part the same code).
>
> You are saying that your implementation is based on some already existing
> implementation. Could you please provide a reference to the original code?
>
> I have been trying to search it myself and found the following one:
>
> https://dxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/nsNSSCallbacks.cpp?from=CanFalseStartCallback#930
>
> It does not seem to implement it in the exact same way as your patch. For
> instance, your patch does not check the negotiated TLS version, does it?

Looks like you are right. I think I looked into an older firefox release and
missed a whole bunch of other checks (like the fact that firefox now only allows
ECDHE and AES GCM).

I'll update the patch shortly and also add comments. It seems I'm having some
problem withe nss and ECDHE though: I updated my server's configuration to only
allow ECDHE but when I use curl built with nss I get:

> % src/curl https://ghedini.me -v
> * STATE: INIT => CONNECT handle 0xe2f658; line 1046 (connection #-5000)
> * Rebuilt URL to: https://ghedini.me/
> * Added connection 0. The cache now contains 1 members
> * STATE: CONNECT => WAITRESOLVE handle 0xe2f658; line 1083 (connection #0)
> * Trying 149.154.152.214...
> * STATE: WAITRESOLVE => WAITCONNECT handle 0xe2f658; line 1163 (connection #0)
> * Connected to ghedini.me (149.154.152.214) port 443 (#0)
> * STATE: WAITCONNECT => SENDPROTOCONNECT handle 0xe2f658; line 1202 (connection #0)
> * Marked for [keep alive]: HTTP default
> * Initializing NSS with certpath: none
> * CAfile: /etc/ssl/certs/ca-certificates.crt
> CApath: none
> * STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0xe2f658; line 1216 (connection #0)
> * NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
> * Cannot communicate securely with peer: no common encryption algorithm(s).
> * Marked for [closure]: Failed HTTPS connection
> * Closing connection 0
> * The cache now contains 0 members
> * Expire cleared
> curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s).

Any idea on what may be causing this? Using chromium built against the same
libnss works fine, so maybe it's a curl problem? The nss version is 3.17.2.

Cheers

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

Received on 2015-03-09