cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH 1/3] nss: map CURL_SSLVERSION_DEFAULT to NSS default

From: Ray Satiro via curl-library <curl-library_at_cool.haxx.se>
Date: Tue, 1 Nov 2016 01:34:37 -0400

On 10/30/2016 4:39 PM, Kamil Dudka wrote:
> On Thursday, October 27, 2016 13:40:15 Ray Satiro via curl-library wrote:
>> >On 10/27/2016 9:25 AM, Kamil Dudka wrote:
>>> > > switch(data->set.ssl.version) {
>>> > >
>>> > >- default:
>>> > > case CURL_SSLVERSION_DEFAULT:
>>> > >+ /* nss_init_sslver() should not be called with
>>> > >CURL_SSLVERSION_DEFAULT */ + break;
>>> > >+
>> >
>> >It is documented we disable SSLv3 by default [1], could this allow for
>> >an NSS that allows SSLv3 by default?
>> >
>> >
>> >[1]:https://curl.haxx.se/libcurl/c/CURLOPT_SSLVERSION.html
> SSLv3 is disabled by default in NSS since March 2015:
>
> https://hg.mozilla.org/projects/nss/rev/37369a50eb75
>
> SSL_VersionRangeSet() does not allow to just disable SSLv3 while keeping
> sslver->max untouched. However, I can extend the patch to disable SSLv3
> using the legacy API if an old version of NSS is detected at build-time.
> Does that work for you?

I tried to research this but I'm not seeing any official documentation
on SSL_VersionRangeGetSupported, SSL_VersionRangeGetDefault or
SSL_VersionRangeSet. I've googled and used mozilla's website search.
Basically my request is that the patch be true to the documentation and
SSLv3 disabled by default. That means the minimum version is the NSS
default minimum (if it's possible to determine that) unless that minimum
is less than TLS 1.0. I imagine it would be something like this:

case CURL_SSLVERSION_DEFAULT:
if(!SSL_VersionRangeGetDefault(&range))
   return CURLE_SSL_CONNECT_ERROR
if(range.min < SSL_LIBRARY_VERSION_TLS_1_0) {
   if(!somefunctosetmin(SSL_LIBRARY_VERSION_TLS_1_0))
     return CURLE_SSL_CONNECT_ERROR
}
break

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-11-01