nss: add support for the CURLSSLOPT_ALLOW_BEAST option
... and fix some typos from the 62d15f1 commit.
This commit is contained in:
Kamil Dudka
13
lib/nss.c
13
lib/nss.c
@@ -1158,6 +1158,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
|
|||||||
PRBool ssl3 = PR_FALSE;
|
PRBool ssl3 = PR_FALSE;
|
||||||
PRBool tlsv1 = PR_FALSE;
|
PRBool tlsv1 = PR_FALSE;
|
||||||
PRBool ssl_no_cache;
|
PRBool ssl_no_cache;
|
||||||
|
PRBool ssl_cbc_random_iv;
|
||||||
struct SessionHandle *data = conn->data;
|
struct SessionHandle *data = conn->data;
|
||||||
curl_socket_t sockfd = conn->sock[sockindex];
|
curl_socket_t sockfd = conn->sock[sockindex];
|
||||||
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
|
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
|
||||||
@@ -1266,6 +1267,18 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
|
|||||||
if(SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, ssl2) != SECSuccess)
|
if(SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, ssl2) != SECSuccess)
|
||||||
goto error;
|
goto error;
|
||||||
|
|
||||||
|
ssl_cbc_random_iv = !data->set.ssl_enable_beast;
|
||||||
|
#ifdef SSL_CBC_RANDOM_IV
|
||||||
|
/* unless the user explicitly asks to allow the protocol vulnerability, we
|
||||||
|
use the work-around */
|
||||||
|
if(SSL_OptionSet(model, SSL_CBC_RANDOM_IV, ssl_cbc_random_iv) != SECSuccess)
|
||||||
|
infof(data, "warning: failed to set SSL_CBC_RANDOM_IV = %d\n",
|
||||||
|
ssl_cbc_random_iv);
|
||||||
|
#else
|
||||||
|
if(ssl_cbc_random_iv)
|
||||||
|
infof(data, "warning: support for SSL_CBC_RANDOM_IV not compiled in\n");
|
||||||
|
#endif
|
||||||
|
|
||||||
/* reset the flag to avoid an infinite loop */
|
/* reset the flag to avoid an infinite loop */
|
||||||
data->state.ssl_connect_retry = FALSE;
|
data->state.ssl_connect_retry = FALSE;
|
||||||
|
|
||||||
|
|||||||
@@ -202,7 +202,7 @@ static const struct LongShort aliases[]= {
|
|||||||
{"Ek", "tlsuser", TRUE},
|
{"Ek", "tlsuser", TRUE},
|
||||||
{"El", "tlspassword", TRUE},
|
{"El", "tlspassword", TRUE},
|
||||||
{"Em", "tlsauthtype", TRUE},
|
{"Em", "tlsauthtype", TRUE},
|
||||||
{"En", "ssl-no-empty-fragments", FALSE},
|
{"En", "ssl-allow-beast", FALSE},
|
||||||
{"f", "fail", FALSE},
|
{"f", "fail", FALSE},
|
||||||
{"F", "form", TRUE},
|
{"F", "form", TRUE},
|
||||||
{"Fs", "form-string", TRUE},
|
{"Fs", "form-string", TRUE},
|
||||||
|
|||||||
@@ -187,7 +187,7 @@ static const char *const helptext[] = {
|
|||||||
" --ssl-reqd Require SSL/TLS (FTP, IMAP, POP3, SMTP)",
|
" --ssl-reqd Require SSL/TLS (FTP, IMAP, POP3, SMTP)",
|
||||||
" -2, --sslv2 Use SSLv2 (SSL)",
|
" -2, --sslv2 Use SSLv2 (SSL)",
|
||||||
" -3, --sslv3 Use SSLv3 (SSL)",
|
" -3, --sslv3 Use SSLv3 (SSL)",
|
||||||
" --ssl-allow-below Allow security flaw to improve interop (SSL)",
|
" --ssl-allow-beast Allow security flaw to improve interop (SSL)",
|
||||||
" --stderr FILE Where to redirect stderr. - means stdout",
|
" --stderr FILE Where to redirect stderr. - means stdout",
|
||||||
" --tcp-nodelay Use the TCP_NODELAY option",
|
" --tcp-nodelay Use the TCP_NODELAY option",
|
||||||
" -t, --telnet-option OPT=VAL Set telnet option",
|
" -t, --telnet-option OPT=VAL Set telnet option",
|
||||||
|
|||||||
Reference in New Issue
Block a user