cURL / Mailing Lists / curl-library / Single Mail


Re: [PATCH v3] TLS False Start support for NSS

From: Paul Howarth <>
Date: Thu, 23 Apr 2015 16:02:19 +0100

On 23/04/15 15:04, Kamil Dudka wrote:
> On Thursday 23 April 2015 14:11:25 Paul Howarth wrote:
>> On 22/04/15 17:42, Kamil Dudka wrote:
>>> On Wednesday 22 April 2015 13:10:22 Paul Howarth wrote:
>>>> On 22/04/15 13:03, Kamil Dudka wrote:
>>>>> If SSL_SetCanFalseStartCallback() is the newest introduced symbol
>>>>> required
>>>>> for the TLS False Start feature to work, we can add autoconf check for
>>>>> the
>>>>> presence of that symbol in NSS libs, and #ifdef the code based on the
>>>>> result of that check. That would cover also the case where a downstream
>>>>> maintainer cherry-picks the feature to an older version of NSS.
>>>> Works for me. I'm able to build with the attached patch, which should be
>>>> adaptable to being an autoconf-based one instead of a version-number
>>>> based one.
>>>> Paul.
>>> Thanks for the patch! Do we still need the #ifdef for
>>> SSL_ENABLE_FALSE_START if the code is already #idef-ed based on the NSS
>>> version?
>> Only the ones within the NSS-version #ifdef (not all are), and only if
>> NSS upstream does not support building without TLS 1.2 support (I don't
>> know if this is the case or not).
>> Paul.
> Even if NSS had an option to disable TLS 1.2, I believe it would not hide
> the define of SSL_LIBRARY_VERSION_TLS_1_2. If TLS 1.2 was not implemented
> by NSS, it would effectively disable the False Start feature but it should
> not break the compilation.
> Paul, could you please try the attached patch whether it works for you?

Builds OK for F-15 (OpenSSL build), F-16 (NSS 3.14.1), F-17 (NSS
3.14.3), F-18 (3.15.3), F-19 (NSS 3.17.2) and Rawhide. Looks good!


List admin:
Received on 2015-04-23