curl-library
[PATCH 1/3] nss: map CURL_SSLVERSION_DEFAULT to NSS default
From: Kamil Dudka <kdudka_at_redhat.com>
Date: Thu, 27 Oct 2016 15:25:55 +0200
Date: Thu, 27 Oct 2016 15:25:55 +0200
---
lib/vtls/nss.c | 21 +++++++++++++++------
1 file changed, 15 insertions(+), 6 deletions(-)
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index 214c224..d57b6a5 100644
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -1489,10 +1489,13 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
struct Curl_easy *data)
{
switch(data->set.ssl.version) {
- default:
case CURL_SSLVERSION_DEFAULT:
+ /* nss_init_sslver() should not be called with CURL_SSLVERSION_DEFAULT */
+ break;
+
case CURL_SSLVERSION_TLSv1:
sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
+ /* TODO: set sslver->max to SSL_LIBRARY_VERSION_TLS_1_3 once stable */
#ifdef SSL_LIBRARY_VERSION_TLS_1_2
sslver->max = SSL_LIBRARY_VERSION_TLS_1_2;
#elif defined SSL_LIBRARY_VERSION_TLS_1_1
@@ -1532,6 +1535,10 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
return CURLE_OK;
#endif
break;
+
+ default:
+ /* unsupported SSL/TLS version */
+ break;
}
failf(data, "TLS minor version cannot be set");
@@ -1652,11 +1659,13 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
if(SSL_OptionSet(model, SSL_NO_CACHE, ssl_no_cache) != SECSuccess)
goto error;
- /* enable/disable the requested SSL version(s) */
- if(nss_init_sslver(&sslver, data) != CURLE_OK)
- goto error;
- if(SSL_VersionRangeSet(model, &sslver) != SECSuccess)
- goto error;
+ if(data->set.ssl.version != CURL_SSLVERSION_DEFAULT) {
+ /* enable/disable the requested SSL version(s) */
+ if(nss_init_sslver(&sslver, data) != CURLE_OK)
+ goto error;
+ if(SSL_VersionRangeSet(model, &sslver) != SECSuccess)
+ goto error;
+ }
ssl_cbc_random_iv = !data->set.ssl_enable_beast;
#ifdef SSL_CBC_RANDOM_IV
--
2.7.4
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-10-27