cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH v3] TLS False Start support for NSS

From: Kamil Dudka <kdudka_at_redhat.com>
Date: Fri, 20 Mar 2015 16:54:58 +0100

On Friday 20 March 2015 13:34:34 Alessandro Ghedini wrote:
> On mer, mar 18, 2015 at 08:05:52 +0100, Kamil Dudka wrote:
> > On Monday 09 March 2015 14:34:31 Alessandro Ghedini wrote:
> > > Hello,
> > >
> > > I updated the checks as Kamil suggested. Now False Start is only used
> > > with
> > > TLS 1.2, ECDHE and AES GCM like in newer firefox versions. This kind of
> > > reduces the False Start usability, since NSS doesn't enable ECC ciphers
> > > by
> > > default and they
> > >
> > > need to manually selected like so:
> > > > $ src/curl -v https://ghedini.me --ciphers
> > > > ecdhe_rsa_aes_128_gcm_sha_256
> > > > --false-start
> > >
> > > But this may change in the future I suppose. Also, AFAICT NSS doesn't
> > > support AES 256 GCM, so there's that too, but I guess that in most
> > > servers
> > > if AES 256 is enabled, AES 128 will be as well.
> > >
> > > See attached patches.
> > >
> > > Cheers
> >
> > Hi Alessandro,
> >
> > sorry for the delay. I have reviewed the patches and they look perfect to
> > me. Two minor remarks about the documentation -- the
> > CURLOPT_SSL_FALSESTART.3 man page is not added to Makefile.am and the
> > option is not mentioned in the curl_easy_setopt.3 man page -- both
> > trivial to fix.
>
> Should I send updated patches for this?
>
> Cheers

No need to send patches for such trivial changes. I will merge it later today
hopefully. Sorry for the delays!

Kamil
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-03-20