curl-library
Re: [PATCH 1/3] nss: map CURL_SSLVERSION_DEFAULT to NSS default
Date: Tue, 01 Nov 2016 16:02:53 +0100
On Tuesday, November 01, 2016 01:34:37 Ray Satiro wrote:
> On 10/30/2016 4:39 PM, Kamil Dudka wrote:
> > On Thursday, October 27, 2016 13:40:15 Ray Satiro via curl-library wrote:
> >> >On 10/27/2016 9:25 AM, Kamil Dudka wrote:
> >>> > > switch(data->set.ssl.version) {
> >>> > >
> >>> > >- default:
> >>> > > case CURL_SSLVERSION_DEFAULT:
> >>> > >+ /* nss_init_sslver() should not be called with
> >>> > >CURL_SSLVERSION_DEFAULT */ + break;
> >>> > >+
> >> >
> >> >It is documented we disable SSLv3 by default [1], could this allow for
> >> >an NSS that allows SSLv3 by default?
> >> >
> >> >
> >> >[1]:https://curl.haxx.se/libcurl/c/CURLOPT_SSLVERSION.html
> >
> > SSLv3 is disabled by default in NSS since March 2015:
> > https://hg.mozilla.org/projects/nss/rev/37369a50eb75
> >
> > SSL_VersionRangeSet() does not allow to just disable SSLv3 while keeping
> > sslver->max untouched. However, I can extend the patch to disable SSLv3
> > using the legacy API if an old version of NSS is detected at build-time.
> > Does that work for you?
>
> I tried to research this but I'm not seeing any official documentation
> on SSL_VersionRangeGetSupported, SSL_VersionRangeGetDefault or
> SSL_VersionRangeSet. I've googled and used mozilla's website search.
SSL_VersionRangeGetDefault() returns the default version range unless it has
already been overwritten by SSL_VersionRangeSetDefault().
> Basically my request is that the patch be true to the documentation and
> SSLv3 disabled by default. That means the minimum version is the NSS
> default minimum (if it's possible to determine that) unless that minimum
> is less than TLS 1.0. I imagine it would be something like this:
>
> case CURL_SSLVERSION_DEFAULT:
> if(!SSL_VersionRangeGetDefault(&range))
> return CURLE_SSL_CONNECT_ERROR
> if(range.min < SSL_LIBRARY_VERSION_TLS_1_0) {
> if(!somefunctosetmin(SSL_LIBRARY_VERSION_TLS_1_0))
> return CURLE_SSL_CONNECT_ERROR
> }
> break
Good point. We can use SSL_VersionRangeGetDefault() to ensure range.min
is not below SSL_LIBRARY_VERSION_TLS_1_0 while not touching range.max.
I will modify the patch accordingly. Thanks for the suggestion!
Kamil
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-11-01