aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKamil Dudka <kdudka@redhat.com>2014-07-02 17:49:37 +0200
committerKamil Dudka <kdudka@redhat.com>2014-07-02 18:11:05 +0200
commit7581dee10aedeb96231dd24e187ff5426fc72469 (patch)
tree7df9893a182a3ea8063dbfe5203ebeaabc0bf250
parent7c21558503cbb10595c345acc7820cb9dc8741d6 (diff)
nss: make the fallback to SSLv3 work again
This feature was unintentionally disabled by commit ff92fcfb.
-rw-r--r--RELEASE-NOTES1
-rw-r--r--lib/vtls/nss.c6
2 files changed, 4 insertions, 3 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index cb481a215..66b43066f 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -35,6 +35,7 @@ This release includes the following bugfixes:
o getinfo: HTTP CONNECT code not reset between transfers [8]
o Curl_rand: Use a fake entropy for debug builds when CURL_ENTROPY set
o nss: do not abort on connection failure (failing tests 305 and 404)
+ o nss: make the fallback to SSLv3 work again
o
This release includes the following known bugs:
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index 1e41795f2..3613b4042 100644
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -1315,6 +1315,7 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
switch (data->set.ssl.version) {
default:
case CURL_SSLVERSION_DEFAULT:
+ sslver->min = SSL_LIBRARY_VERSION_3_0;
if(data->state.ssl_connect_retry) {
infof(data, "TLS disabled due to previous handshake failure\n");
sslver->max = SSL_LIBRARY_VERSION_3_0;
@@ -1323,7 +1324,6 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
/* intentional fall-through to default to highest TLS version if possible */
case CURL_SSLVERSION_TLSv1:
- sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
#ifdef SSL_LIBRARY_VERSION_TLS_1_2
sslver->max = SSL_LIBRARY_VERSION_TLS_1_2;
#elif defined SSL_LIBRARY_VERSION_TLS_1_1
@@ -1399,7 +1399,7 @@ static CURLcode nss_fail_connect(struct ssl_connect_data *connssl,
if(connssl->handle
&& (SSL_VersionRangeGet(connssl->handle, &sslver) == SECSuccess)
&& (sslver.min == SSL_LIBRARY_VERSION_3_0)
- && (sslver.max == SSL_LIBRARY_VERSION_TLS_1_0)
+ && (sslver.max != SSL_LIBRARY_VERSION_3_0)
&& isTLSIntoleranceError(err)) {
/* schedule reconnect through Curl_retry_request() */
data->state.ssl_connect_retry = TRUE;
@@ -1437,7 +1437,7 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
CURLcode curlerr;
SSLVersionRange sslver = {
- SSL_LIBRARY_VERSION_3_0, /* min */
+ SSL_LIBRARY_VERSION_TLS_1_0, /* min */
SSL_LIBRARY_VERSION_TLS_1_0 /* max */
};