Loading RELEASE-NOTES +1 −0 Original line number Diff line number Diff line Loading @@ -29,6 +29,7 @@ This release includes the following bugfixes: o curl man page cleanup o Avoid leak of local device string when reusing connection o Curl_socket_check: fix return code for timeout [11] o nss: do not print misleading NSS error codes This release includes the following known bugs: Loading lib/nss.c +30 −12 Original line number Diff line number Diff line Loading @@ -1084,17 +1084,31 @@ int Curl_nss_close_all(struct SessionHandle *data) return 0; } /* return true if the given error code is related to a client certificate */ static bool is_cc_error(PRInt32 err) /* return true if NSS can provide error code (and possibly msg) for the error */ static bool is_nss_error(CURLcode err) { switch(err) { case SSL_ERROR_BAD_CERT_ALERT: case CURLE_PEER_FAILED_VERIFICATION: case CURLE_SSL_CACERT: case CURLE_SSL_CACERT_BADFILE: case CURLE_SSL_CERTPROBLEM: case CURLE_SSL_CONNECT_ERROR: case CURLE_SSL_CRL_BADFILE: case CURLE_SSL_ISSUER_ERROR: return true; case SSL_ERROR_REVOKED_CERT_ALERT: return true; default: return false; } } /* return true if the given error code is related to a client certificate */ static bool is_cc_error(PRInt32 err) { switch(err) { case SSL_ERROR_BAD_CERT_ALERT: case SSL_ERROR_EXPIRED_CERT_ALERT: case SSL_ERROR_REVOKED_CERT_ALERT: return true; default: Loading Loading @@ -1388,6 +1402,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) time_left = Curl_timeleft(data, NULL, TRUE); if(time_left < 0L) { failf(data, "timed out before SSL handshake"); curlerr = CURLE_OPERATION_TIMEDOUT; goto error; } timeout = PR_MillisecondsToInterval((PRUint32) time_left); Loading Loading @@ -1432,6 +1447,8 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) /* reset the flag to avoid an infinite loop */ data->state.ssl_connect_retry = FALSE; if(is_nss_error(curlerr)) { /* read NSPR error code */ err = PR_GetError(); if(is_cc_error(err)) curlerr = CURLE_SSL_CERTPROBLEM; Loading @@ -1441,6 +1458,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) /* print a human-readable message describing the error if available */ nss_print_error_message(data, err); } if(model) PR_Close(model); Loading Loading
RELEASE-NOTES +1 −0 Original line number Diff line number Diff line Loading @@ -29,6 +29,7 @@ This release includes the following bugfixes: o curl man page cleanup o Avoid leak of local device string when reusing connection o Curl_socket_check: fix return code for timeout [11] o nss: do not print misleading NSS error codes This release includes the following known bugs: Loading
lib/nss.c +30 −12 Original line number Diff line number Diff line Loading @@ -1084,17 +1084,31 @@ int Curl_nss_close_all(struct SessionHandle *data) return 0; } /* return true if the given error code is related to a client certificate */ static bool is_cc_error(PRInt32 err) /* return true if NSS can provide error code (and possibly msg) for the error */ static bool is_nss_error(CURLcode err) { switch(err) { case SSL_ERROR_BAD_CERT_ALERT: case CURLE_PEER_FAILED_VERIFICATION: case CURLE_SSL_CACERT: case CURLE_SSL_CACERT_BADFILE: case CURLE_SSL_CERTPROBLEM: case CURLE_SSL_CONNECT_ERROR: case CURLE_SSL_CRL_BADFILE: case CURLE_SSL_ISSUER_ERROR: return true; case SSL_ERROR_REVOKED_CERT_ALERT: return true; default: return false; } } /* return true if the given error code is related to a client certificate */ static bool is_cc_error(PRInt32 err) { switch(err) { case SSL_ERROR_BAD_CERT_ALERT: case SSL_ERROR_EXPIRED_CERT_ALERT: case SSL_ERROR_REVOKED_CERT_ALERT: return true; default: Loading Loading @@ -1388,6 +1402,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) time_left = Curl_timeleft(data, NULL, TRUE); if(time_left < 0L) { failf(data, "timed out before SSL handshake"); curlerr = CURLE_OPERATION_TIMEDOUT; goto error; } timeout = PR_MillisecondsToInterval((PRUint32) time_left); Loading Loading @@ -1432,6 +1447,8 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) /* reset the flag to avoid an infinite loop */ data->state.ssl_connect_retry = FALSE; if(is_nss_error(curlerr)) { /* read NSPR error code */ err = PR_GetError(); if(is_cc_error(err)) curlerr = CURLE_SSL_CERTPROBLEM; Loading @@ -1441,6 +1458,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) /* print a human-readable message describing the error if available */ nss_print_error_message(data, err); } if(model) PR_Close(model); Loading
