cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH 1/3] nss: map CURL_SSLVERSION_DEFAULT to NSS default

From: Kamil Dudka <kdudka_at_redhat.com>
Date: Sun, 30 Oct 2016 21:39:08 +0100

On Thursday, October 27, 2016 13:40:15 Ray Satiro via curl-library wrote:
> On 10/27/2016 9:25 AM, Kamil Dudka wrote:
> > switch(data->set.ssl.version) {
> >
> > - default:
> > case CURL_SSLVERSION_DEFAULT:
> > + /* nss_init_sslver() should not be called with
> > CURL_SSLVERSION_DEFAULT */ + break;
> > +
>
> It is documented we disable SSLv3 by default [1], could this allow for
> an NSS that allows SSLv3 by default?
>
>
> [1]: https://curl.haxx.se/libcurl/c/CURLOPT_SSLVERSION.html

SSLv3 is disabled by default in NSS since March 2015:

    https://hg.mozilla.org/projects/nss/rev/37369a50eb75

SSL_VersionRangeSet() does not allow to just disable SSLv3 while keeping
sslver->max untouched. However, I can extend the patch to disable SSLv3
using the legacy API if an old version of NSS is detected at build-time.
Does that work for you?

Kamil
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-10-30