nss: make the fallback to SSLv3 work again
This feature was unintentionally disabled by commit ff92fcfb.
This commit is contained in:
Kamil Dudka
@@ -35,6 +35,7 @@ This release includes the following bugfixes:
|
|||||||
o getinfo: HTTP CONNECT code not reset between transfers [8]
|
o getinfo: HTTP CONNECT code not reset between transfers [8]
|
||||||
o Curl_rand: Use a fake entropy for debug builds when CURL_ENTROPY set
|
o Curl_rand: Use a fake entropy for debug builds when CURL_ENTROPY set
|
||||||
o nss: do not abort on connection failure (failing tests 305 and 404)
|
o nss: do not abort on connection failure (failing tests 305 and 404)
|
||||||
|
o nss: make the fallback to SSLv3 work again
|
||||||
o
|
o
|
||||||
|
|
||||||
This release includes the following known bugs:
|
This release includes the following known bugs:
|
||||||
|
|||||||
@@ -1315,6 +1315,7 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
|
|||||||
switch (data->set.ssl.version) {
|
switch (data->set.ssl.version) {
|
||||||
default:
|
default:
|
||||||
case CURL_SSLVERSION_DEFAULT:
|
case CURL_SSLVERSION_DEFAULT:
|
||||||
|
sslver->min = SSL_LIBRARY_VERSION_3_0;
|
||||||
if(data->state.ssl_connect_retry) {
|
if(data->state.ssl_connect_retry) {
|
||||||
infof(data, "TLS disabled due to previous handshake failure\n");
|
infof(data, "TLS disabled due to previous handshake failure\n");
|
||||||
sslver->max = SSL_LIBRARY_VERSION_3_0;
|
sslver->max = SSL_LIBRARY_VERSION_3_0;
|
||||||
@@ -1323,7 +1324,6 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
|
|||||||
/* intentional fall-through to default to highest TLS version if possible */
|
/* intentional fall-through to default to highest TLS version if possible */
|
||||||
|
|
||||||
case CURL_SSLVERSION_TLSv1:
|
case CURL_SSLVERSION_TLSv1:
|
||||||
sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
|
|
||||||
#ifdef SSL_LIBRARY_VERSION_TLS_1_2
|
#ifdef SSL_LIBRARY_VERSION_TLS_1_2
|
||||||
sslver->max = SSL_LIBRARY_VERSION_TLS_1_2;
|
sslver->max = SSL_LIBRARY_VERSION_TLS_1_2;
|
||||||
#elif defined SSL_LIBRARY_VERSION_TLS_1_1
|
#elif defined SSL_LIBRARY_VERSION_TLS_1_1
|
||||||
@@ -1399,7 +1399,7 @@ static CURLcode nss_fail_connect(struct ssl_connect_data *connssl,
|
|||||||
if(connssl->handle
|
if(connssl->handle
|
||||||
&& (SSL_VersionRangeGet(connssl->handle, &sslver) == SECSuccess)
|
&& (SSL_VersionRangeGet(connssl->handle, &sslver) == SECSuccess)
|
||||||
&& (sslver.min == SSL_LIBRARY_VERSION_3_0)
|
&& (sslver.min == SSL_LIBRARY_VERSION_3_0)
|
||||||
&& (sslver.max == SSL_LIBRARY_VERSION_TLS_1_0)
|
&& (sslver.max != SSL_LIBRARY_VERSION_3_0)
|
||||||
&& isTLSIntoleranceError(err)) {
|
&& isTLSIntoleranceError(err)) {
|
||||||
/* schedule reconnect through Curl_retry_request() */
|
/* schedule reconnect through Curl_retry_request() */
|
||||||
data->state.ssl_connect_retry = TRUE;
|
data->state.ssl_connect_retry = TRUE;
|
||||||
@@ -1437,7 +1437,7 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
|
|||||||
CURLcode curlerr;
|
CURLcode curlerr;
|
||||||
|
|
||||||
SSLVersionRange sslver = {
|
SSLVersionRange sslver = {
|
||||||
SSL_LIBRARY_VERSION_3_0, /* min */
|
SSL_LIBRARY_VERSION_TLS_1_0, /* min */
|
||||||
SSL_LIBRARY_VERSION_TLS_1_0 /* max */
|
SSL_LIBRARY_VERSION_TLS_1_0 /* max */
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user