cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [Patch 1/3 v2] nss: map CURL_SSLVERSION_DEFAULT to NSS default

From: Kamil Dudka <kdudka_at_redhat.com>
Date: Wed, 02 Nov 2016 09:49:34 +0100

On Tuesday, November 01, 2016 16:11:59 Ray Satiro wrote:
> On 11/1/2016 11:42 AM, Kamil Dudka wrote:
> > ... but make sure we use at least TLSv1.0 according to libcurl API
> > ---
> >
> > lib/vtls/nss.c | 14 +++++++++++++-
> > 1 file changed, 13 insertions(+), 1 deletion(-)
> >
> > diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
> > index dff1575..5abb574 100644
> > --- a/lib/vtls/nss.c
> > +++ b/lib/vtls/nss.c
> > @@ -1489,10 +1489,18 @@ static CURLcode nss_init_sslver(SSLVersionRange
> > *sslver,>
> > struct Curl_easy *data)
> >
> > {
> >
> > switch(data->set.ssl.version) {
> >
> > - default:
> > case CURL_SSLVERSION_DEFAULT:
> > + /* map CURL_SSLVERSION_DEFAULT to NSS default */
> > + if(SSL_VersionRangeGetDefault(ssl_variant_stream, sslver) !=
> > SECSuccess) + return CURLE_SSL_CONNECT_ERROR;
> > + /* ... but make sure we use at least TLSv1.0 according to libcurl API
> > */ + if(sslver->min < SSL_LIBRARY_VERSION_TLS_1_0)
> > + sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
> > + return CURLE_OK;
> > +
> >
> > case CURL_SSLVERSION_TLSv1:
> > sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
> >
> > + /* TODO: set sslver->max to SSL_LIBRARY_VERSION_TLS_1_3 once stable
> > */
> >
> > #ifdef SSL_LIBRARY_VERSION_TLS_1_2
> >
> > sslver->max = SSL_LIBRARY_VERSION_TLS_1_2;
> >
> > #elif defined SSL_LIBRARY_VERSION_TLS_1_1
> >
> > @@ -1532,6 +1540,10 @@ static CURLcode nss_init_sslver(SSLVersionRange
> > *sslver,>
> > return CURLE_OK;
> >
> > #endif
> >
> > break;
> >
> > +
> > + default:
> > + /* unsupported SSL/TLS version */
> > + break;
> >
> > }
> >
> > failf(data, "TLS minor version cannot be set");
>
> This looks better but since that api function is only available since
> 3.14 apparently [1] does libcurl still build with versions older than
> that

It does not since the following commit:

https://github.com/curl/curl/commit/curl-7_33_0-220-g30e7e75

Kamil

> and if so would it be acceptable to fallback on the old way, like this
>
> case CURL_SSLVERSION_DEFAULT:
> #if NSSVERNUM >= 0x030E00 /* >= 3.14.0 */
> /* map CURL_SSLVERSION_DEFAULT to NSS default */
> if(SSL_VersionRangeGetDefault(ssl_variant_stream, sslver) !=
> SECSuccess)
> return CURLE_SSL_CONNECT_ERROR;
> /* ... but make sure we use at least TLSv1.0 according to libcurl
> API */
> if(sslver->min < SSL_LIBRARY_VERSION_TLS_1_0)
> sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
> return CURLE_OK;
> #endif
> case CURL_SSLVERSION_TLSv1:
>
>
> [1]:
> https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.14_relea
> se_notes
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-11-02