generic-library/curl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

nss: drop the code for libcurl-level downgrade to SSLv3

Browse Source 
This code was already deactivated by commit
ec783dc142.
This commit is contained in:
Kamil Dudka
2014-10-29 14:14:23 +01:00
parent 07048941a4
commit 3f430c9c3a
1 changed files with 0 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
lib/vtls/nss.c
View File

@@ -935,36 +935,6 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock,
return SECSuccess; return SECSuccess;
} }
/* This function is supposed to decide, which error codes should be used
* to conclude server is TLS intolerant.
*
* taken from xulrunner - nsNSSIOLayer.cpp
*/
static PRBool
isTLSIntoleranceError(PRInt32 err)
{
switch (err) {
case SSL_ERROR_BAD_MAC_ALERT:
case SSL_ERROR_BAD_MAC_READ:
case SSL_ERROR_HANDSHAKE_FAILURE_ALERT:
case SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT:
case SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE:
case SSL_ERROR_ILLEGAL_PARAMETER_ALERT:
case SSL_ERROR_NO_CYPHER_OVERLAP:
case SSL_ERROR_BAD_SERVER:
case SSL_ERROR_BAD_BLOCK_PADDING:
case SSL_ERROR_UNSUPPORTED_VERSION:
case SSL_ERROR_PROTOCOL_VERSION_ALERT:
case SSL_ERROR_RX_MALFORMED_FINISHED:
case SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE:
case SSL_ERROR_DECODE_ERROR_ALERT:
case SSL_ERROR_RX_UNKNOWN_ALERT:
return PR_TRUE;
default:
return PR_FALSE;
}
}
/* update blocking direction in case of PR_WOULD_BLOCK_ERROR */ /* update blocking direction in case of PR_WOULD_BLOCK_ERROR */
static void nss_update_connecting_state(ssl_connect_state state, void *secret) static void nss_update_connecting_state(ssl_connect_state state, void *secret)
{ {
@@ -1396,12 +1366,8 @@ static CURLcode nss_fail_connect(struct ssl_connect_data *connssl,
struct SessionHandle *data, struct SessionHandle *data,
CURLcode curlerr) CURLcode curlerr)
{ {
SSLVersionRange sslver;
PRErrorCode err = 0; PRErrorCode err = 0;
/* reset the flag to avoid an infinite loop */
data->state.ssl_connect_retry = FALSE;
if(is_nss_error(curlerr)) { if(is_nss_error(curlerr)) {
/* read NSPR error code */ /* read NSPR error code */
err = PR_GetError(); err = PR_GetError();
@@ -1418,18 +1384,6 @@ static CURLcode nss_fail_connect(struct ssl_connect_data *connssl,
/* cleanup on connection failure */ /* cleanup on connection failure */
Curl_llist_destroy(connssl->obj_list, NULL); Curl_llist_destroy(connssl->obj_list, NULL);
connssl->obj_list = NULL; connssl->obj_list = NULL;
if(connssl->handle
&& (SSL_VersionRangeGet(connssl->handle, &sslver) == SECSuccess)
&& (sslver.min == SSL_LIBRARY_VERSION_3_0)
&& (sslver.max != SSL_LIBRARY_VERSION_3_0)
&& isTLSIntoleranceError(err)) {
/* schedule reconnect through Curl_retry_request() */
data->state.ssl_connect_retry = TRUE;
infof(data, "Error in TLS handshake, trying SSLv3...\n");
return CURLE_OK;
}
return curlerr; return curlerr;
} }
@@ -1550,9 +1504,6 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
infof(data, "warning: support for SSL_CBC_RANDOM_IV not compiled in\n"); infof(data, "warning: support for SSL_CBC_RANDOM_IV not compiled in\n");
#endif #endif
/* reset the flag to avoid an infinite loop */
data->state.ssl_connect_retry = FALSE;
if(data->set.ssl.cipher_list) { if(data->set.ssl.cipher_list) {
if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) { if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) {
curlerr = CURLE_SSL_CIPHER; curlerr = CURLE_SSL_CIPHER;