cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH v3] TLS False Start support for NSS

From: Paul Howarth <paul_at_city-fan.org>
Date: Wed, 22 Apr 2015 12:38:44 +0100

On 20/03/15 19:29, Kamil Dudka wrote:
> On Monday 09 March 2015 14:34:31 Alessandro Ghedini wrote:
>> Hello,
>>
>> I updated the checks as Kamil suggested. Now False Start is only used with
>> TLS 1.2, ECDHE and AES GCM like in newer firefox versions. This kind of
>> reduces the False Start usability, since NSS doesn't enable ECC ciphers by
>> default and they
>> need to manually selected like so:
>>> $ src/curl -v https://ghedini.me --ciphers ecdhe_rsa_aes_128_gcm_sha_256
>>> --false-start
>> But this may change in the future I suppose. Also, AFAICT NSS doesn't
>> support AES 256 GCM, so there's that too, but I guess that in most servers
>> if AES 256 is enabled, AES 128 will be as well.
>>
>> See attached patches.
>>
>> Cheers
>
> I have pushed them:
>
> https://github.com/bagder/curl/compare/a332922a52...1f651d1d4d
>
> Thanks for the contribution!

I have come across some issues building with old versions of NSS in the
new release of curl (7.42.0). Whilst NSS has had the symbol
SSL_ENABLE_FALSE_START since version 3.12.8, some of the additional
symbols used in the false start support were introduced considerably
more recently:

SSL_SetCanFalseStartCallback - introduced in nss 3.15.4

SSL_LIBRARY_VERSION_TLS_1_2 - introduced in nss 3.15.1

This is causing compile errors for my Fedora 16 (nss 3.14.1), 17 (nss
3.143) and 18 (nss 3.15.3) builds.

I think the fix is probably to drop the false start support with nss <
3.15.4. Any other opinions/options?

Paul.

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-04-22