Download
Browse source Changelog
Documentation
Project   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Version numbers curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Etiquette
Development
Autobuilds Code Style Contribute Internals Release Notes Release Procedure Roadmap Run Tests Security Specifications Test curl
News
Changelog Release table
cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH 1/3] nss: map CURL_SSLVERSION_DEFAULT to NSS default

From: Kamil Dudka <kdudka_at_redhat.com>
Date: Tue, 01 Nov 2016 16:02:53 +0100

On Tuesday, November 01, 2016 01:34:37 Ray Satiro wrote:
> On 10/30/2016 4:39 PM, Kamil Dudka wrote:
> > On Thursday, October 27, 2016 13:40:15 Ray Satiro via curl-library wrote:
> >> >On 10/27/2016 9:25 AM, Kamil Dudka wrote:
> >>> > > switch(data->set.ssl.version) {
> >>> > >
> >>> > >- default:
> >>> > > case CURL_SSLVERSION_DEFAULT:
> >>> > >+ /* nss_init_sslver() should not be called with
> >>> > >CURL_SSLVERSION_DEFAULT */ + break;
> >>> > >+
> >> >
> >> >It is documented we disable SSLv3 by default [1], could this allow for
> >> >an NSS that allows SSLv3 by default?
> >> >
> >> >
> >> >[1]:https://curl.haxx.se/libcurl/c/CURLOPT_SSLVERSION.html
> >
> > SSLv3 is disabled by default in NSS since March 2015:
> > https://hg.mozilla.org/projects/nss/rev/37369a50eb75
> >
> > SSL_VersionRangeSet() does not allow to just disable SSLv3 while keeping
> > sslver->max untouched. However, I can extend the patch to disable SSLv3
> > using the legacy API if an old version of NSS is detected at build-time.
> > Does that work for you?
>
> I tried to research this but I'm not seeing any official documentation
> on SSL_VersionRangeGetSupported, SSL_VersionRangeGetDefault or
> SSL_VersionRangeSet. I've googled and used mozilla's website search.

SSL_VersionRangeGetDefault() returns the default version range unless it has
already been overwritten by SSL_VersionRangeSetDefault().

> Basically my request is that the patch be true to the documentation and
> SSLv3 disabled by default. That means the minimum version is the NSS
> default minimum (if it's possible to determine that) unless that minimum
> is less than TLS 1.0. I imagine it would be something like this:
>
> case CURL_SSLVERSION_DEFAULT:
> if(!SSL_VersionRangeGetDefault(&range))
> return CURLE_SSL_CONNECT_ERROR
> if(range.min < SSL_LIBRARY_VERSION_TLS_1_0) {
> if(!somefunctosetmin(SSL_LIBRARY_VERSION_TLS_1_0))
> return CURLE_SSL_CONNECT_ERROR
> }
> break

Good point. We can use SSL_VersionRangeGetDefault() to ensure range.min
is not below SSL_LIBRARY_VERSION_TLS_1_0 while not touching range.max.
I will modify the patch accordingly. Thanks for the suggestion!

Kamil
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-11-01