Loading configure.ac +2 −2 Original line number Diff line number Diff line Loading @@ -2071,8 +2071,8 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then CPPFLAGS="$CPPFLAGS $addcflags" fi dnl The function PK11_CreateGenericObject is needed to load libnsspem.so AC_CHECK_LIB(nss3, PK11_CreateGenericObject, dnl The function SSL_VersionRangeSet() is needed to enable TLS > 1.0 AC_CHECK_LIB(nss3, SSL_VersionRangeSet, [ AC_DEFINE(USE_NSS, 1, [if NSS is enabled]) AC_SUBST(USE_NSS, [1]) Loading docs/INTERNALS +1 −1 Original line number Diff line number Diff line Loading @@ -43,7 +43,7 @@ Portability openldap 2.0 MIT krb5 lib 1.2.4 qsossl V5R3M0 NSS 3.12.x NSS 3.14.x axTLS 1.2.7 Heimdal ? Loading lib/nss.c +19 −21 Original line number Diff line number Diff line Loading @@ -1215,9 +1215,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) { PRErrorCode err = 0; PRFileDesc *model = NULL; PRBool ssl2 = PR_FALSE; PRBool ssl3 = PR_FALSE; PRBool tlsv1 = PR_FALSE; SSLVersionRange sslver; PRBool ssl_no_cache; PRBool ssl_cbc_random_iv; struct SessionHandle *data = conn->data; Loading Loading @@ -1292,20 +1290,25 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) switch (data->set.ssl.version) { default: case CURL_SSLVERSION_DEFAULT: ssl3 = PR_TRUE; if(data->state.ssl_connect_retry) sslver.min = SSL_LIBRARY_VERSION_3_0; if(data->state.ssl_connect_retry) { infof(data, "TLS disabled due to previous handshake failure\n"); sslver.max = SSL_LIBRARY_VERSION_3_0; } else tlsv1 = PR_TRUE; sslver.max = SSL_LIBRARY_VERSION_TLS_1_0; break; case CURL_SSLVERSION_TLSv1: tlsv1 = PR_TRUE; sslver.min = SSL_LIBRARY_VERSION_TLS_1_0; sslver.max = SSL_LIBRARY_VERSION_TLS_1_0; break; case CURL_SSLVERSION_SSLv2: ssl2 = PR_TRUE; sslver.min = SSL_LIBRARY_VERSION_2; sslver.max = SSL_LIBRARY_VERSION_2; break; case CURL_SSLVERSION_SSLv3: ssl3 = PR_TRUE; sslver.min = SSL_LIBRARY_VERSION_3_0; sslver.max = SSL_LIBRARY_VERSION_3_0; break; case CURL_SSLVERSION_TLSv1_0: case CURL_SSLVERSION_TLSv1_1: Loading @@ -1315,14 +1318,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) goto error; } if(SSL_OptionSet(model, SSL_ENABLE_SSL2, ssl2) != SECSuccess) goto error; if(SSL_OptionSet(model, SSL_ENABLE_SSL3, ssl3) != SECSuccess) goto error; if(SSL_OptionSet(model, SSL_ENABLE_TLS, tlsv1) != SECSuccess) goto error; if(SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, ssl2) != SECSuccess) if(SSL_VersionRangeSet(model, &sslver) != SECSuccess) goto error; ssl_cbc_random_iv = !data->set.ssl_enable_beast; Loading Loading @@ -1512,7 +1508,9 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) Curl_llist_destroy(connssl->obj_list, NULL); connssl->obj_list = NULL; if(ssl3 && tlsv1 && isTLSIntoleranceError(err)) { if((sslver.min == SSL_LIBRARY_VERSION_3_0) && (sslver.max == SSL_LIBRARY_VERSION_TLS_1_0) && isTLSIntoleranceError(err)) { /* schedule reconnect through Curl_retry_request() */ data->state.ssl_connect_retry = TRUE; infof(data, "Error in TLS handshake, trying SSLv3...\n"); Loading Loading
configure.ac +2 −2 Original line number Diff line number Diff line Loading @@ -2071,8 +2071,8 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then CPPFLAGS="$CPPFLAGS $addcflags" fi dnl The function PK11_CreateGenericObject is needed to load libnsspem.so AC_CHECK_LIB(nss3, PK11_CreateGenericObject, dnl The function SSL_VersionRangeSet() is needed to enable TLS > 1.0 AC_CHECK_LIB(nss3, SSL_VersionRangeSet, [ AC_DEFINE(USE_NSS, 1, [if NSS is enabled]) AC_SUBST(USE_NSS, [1]) Loading
docs/INTERNALS +1 −1 Original line number Diff line number Diff line Loading @@ -43,7 +43,7 @@ Portability openldap 2.0 MIT krb5 lib 1.2.4 qsossl V5R3M0 NSS 3.12.x NSS 3.14.x axTLS 1.2.7 Heimdal ? Loading
lib/nss.c +19 −21 Original line number Diff line number Diff line Loading @@ -1215,9 +1215,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) { PRErrorCode err = 0; PRFileDesc *model = NULL; PRBool ssl2 = PR_FALSE; PRBool ssl3 = PR_FALSE; PRBool tlsv1 = PR_FALSE; SSLVersionRange sslver; PRBool ssl_no_cache; PRBool ssl_cbc_random_iv; struct SessionHandle *data = conn->data; Loading Loading @@ -1292,20 +1290,25 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) switch (data->set.ssl.version) { default: case CURL_SSLVERSION_DEFAULT: ssl3 = PR_TRUE; if(data->state.ssl_connect_retry) sslver.min = SSL_LIBRARY_VERSION_3_0; if(data->state.ssl_connect_retry) { infof(data, "TLS disabled due to previous handshake failure\n"); sslver.max = SSL_LIBRARY_VERSION_3_0; } else tlsv1 = PR_TRUE; sslver.max = SSL_LIBRARY_VERSION_TLS_1_0; break; case CURL_SSLVERSION_TLSv1: tlsv1 = PR_TRUE; sslver.min = SSL_LIBRARY_VERSION_TLS_1_0; sslver.max = SSL_LIBRARY_VERSION_TLS_1_0; break; case CURL_SSLVERSION_SSLv2: ssl2 = PR_TRUE; sslver.min = SSL_LIBRARY_VERSION_2; sslver.max = SSL_LIBRARY_VERSION_2; break; case CURL_SSLVERSION_SSLv3: ssl3 = PR_TRUE; sslver.min = SSL_LIBRARY_VERSION_3_0; sslver.max = SSL_LIBRARY_VERSION_3_0; break; case CURL_SSLVERSION_TLSv1_0: case CURL_SSLVERSION_TLSv1_1: Loading @@ -1315,14 +1318,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) goto error; } if(SSL_OptionSet(model, SSL_ENABLE_SSL2, ssl2) != SECSuccess) goto error; if(SSL_OptionSet(model, SSL_ENABLE_SSL3, ssl3) != SECSuccess) goto error; if(SSL_OptionSet(model, SSL_ENABLE_TLS, tlsv1) != SECSuccess) goto error; if(SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, ssl2) != SECSuccess) if(SSL_VersionRangeSet(model, &sslver) != SECSuccess) goto error; ssl_cbc_random_iv = !data->set.ssl_enable_beast; Loading Loading @@ -1512,7 +1508,9 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) Curl_llist_destroy(connssl->obj_list, NULL); connssl->obj_list = NULL; if(ssl3 && tlsv1 && isTLSIntoleranceError(err)) { if((sslver.min == SSL_LIBRARY_VERSION_3_0) && (sslver.max == SSL_LIBRARY_VERSION_TLS_1_0) && isTLSIntoleranceError(err)) { /* schedule reconnect through Curl_retry_request() */ data->state.ssl_connect_retry = TRUE; infof(data, "Error in TLS handshake, trying SSLv3...\n"); Loading
