cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH v3] TLS False Start support for NSS

From: Kamil Dudka <kdudka_at_redhat.com>
Date: Wed, 22 Apr 2015 14:03:59 +0200

On Wednesday 22 April 2015 12:38:44 Paul Howarth wrote:
> On 20/03/15 19:29, Kamil Dudka wrote:
> > On Monday 09 March 2015 14:34:31 Alessandro Ghedini wrote:
> >> Hello,
> >>
> >> I updated the checks as Kamil suggested. Now False Start is only used
> >> with
> >> TLS 1.2, ECDHE and AES GCM like in newer firefox versions. This kind of
> >> reduces the False Start usability, since NSS doesn't enable ECC ciphers
> >> by
> >> default and they
> >>
> >> need to manually selected like so:
> >>> $ src/curl -v https://ghedini.me --ciphers ecdhe_rsa_aes_128_gcm_sha_256
> >>> --false-start
> >>
> >> But this may change in the future I suppose. Also, AFAICT NSS doesn't
> >> support AES 256 GCM, so there's that too, but I guess that in most
> >> servers
> >> if AES 256 is enabled, AES 128 will be as well.
> >>
> >> See attached patches.
> >>
> >> Cheers
> >
> > I have pushed them:
> >
> > https://github.com/bagder/curl/compare/a332922a52...1f651d1d4d
> >
> > Thanks for the contribution!
>
> I have come across some issues building with old versions of NSS in the
> new release of curl (7.42.0). Whilst NSS has had the symbol
> SSL_ENABLE_FALSE_START since version 3.12.8, some of the additional
> symbols used in the false start support were introduced considerably
> more recently:
>
> SSL_SetCanFalseStartCallback - introduced in nss 3.15.4
>
> SSL_LIBRARY_VERSION_TLS_1_2 - introduced in nss 3.15.1
>
> This is causing compile errors for my Fedora 16 (nss 3.14.1), 17 (nss
> 3.143) and 18 (nss 3.15.3) builds.
>
> I think the fix is probably to drop the false start support with nss <
> 3.15.4. Any other opinions/options?
>
> Paul.

If SSL_SetCanFalseStartCallback() is the newest introduced symbol required
for the TLS False Start feature to work, we can add autoconf check for the
presence of that symbol in NSS libs, and #ifdef the code based on the result
of that check. That would cover also the case where a downstream maintainer
cherry-picks the feature to an older version of NSS.

Kamil
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-04-22

This message: [ Message body ]
Next message: Paul Howarth: "Re: [PATCH v3] TLS False Start support for NSS"
Previous message: Kamil Dudka: "Re: [PATCH] nss: implement public key pinning for NSS backend"
In reply to: Paul Howarth: "Re: [PATCH v3] TLS False Start support for NSS"
Next in thread: Paul Howarth: "Re: [PATCH v3] TLS False Start support for NSS"
Reply: Paul Howarth: "Re: [PATCH v3] TLS False Start support for NSS"
Reply: Daniel Stenberg: "Re: [PATCH v3] TLS False Start support for NSS"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]