cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH v3] TLS False Start support for NSS

From: Kamil Dudka <kdudka_at_redhat.com>
Date: Thu, 23 Apr 2015 16:04:27 +0200

On Thursday 23 April 2015 14:11:25 Paul Howarth wrote:
> On 22/04/15 17:42, Kamil Dudka wrote:
> > On Wednesday 22 April 2015 13:10:22 Paul Howarth wrote:
> >> On 22/04/15 13:03, Kamil Dudka wrote:
> >>> If SSL_SetCanFalseStartCallback() is the newest introduced symbol
> >>> required
> >>> for the TLS False Start feature to work, we can add autoconf check for
> >>> the
> >>> presence of that symbol in NSS libs, and #ifdef the code based on the
> >>> result of that check. That would cover also the case where a downstream
> >>> maintainer cherry-picks the feature to an older version of NSS.
> >>
> >> Works for me. I'm able to build with the attached patch, which should be
> >> adaptable to being an autoconf-based one instead of a version-number
> >> based one.
> >>
> >> Paul.
> >
> > Thanks for the patch! Do we still need the #ifdef for
> > SSL_ENABLE_FALSE_START if the code is already #idef-ed based on the NSS
> > version?
>
> Only the ones within the NSS-version #ifdef (not all are), and only if
> NSS upstream does not support building without TLS 1.2 support (I don't
> know if this is the case or not).
>
> Paul.

Even if NSS had an option to disable TLS 1.2, I believe it would not hide
the define of SSL_LIBRARY_VERSION_TLS_1_2. If TLS 1.2 was not implemented
by NSS, it would effectively disable the False Start feature but it should
not break the compilation.

Paul, could you please try the attached patch whether it works for you?

Kamil
Received on 2015-04-23