diff options
| author | Kamil Dudka <kdudka@redhat.com> | 2014-07-02 17:49:37 +0200 |
|---|---|---|
| committer | Kamil Dudka <kdudka@redhat.com> | 2014-07-02 18:11:05 +0200 |
| commit | 7581dee10aedeb96231dd24e187ff5426fc72469 (patch) | |
| tree | 7df9893a182a3ea8063dbfe5203ebeaabc0bf250 | |
| parent | 7c21558503cbb10595c345acc7820cb9dc8741d6 (diff) | |
nss: make the fallback to SSLv3 work again
This feature was unintentionally disabled by commit ff92fcfb.
| -rw-r--r-- | RELEASE-NOTES | 1 | ||||
| -rw-r--r-- | lib/vtls/nss.c | 6 |
2 files changed, 4 insertions, 3 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES index cb481a215..66b43066f 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -35,6 +35,7 @@ This release includes the following bugfixes: o getinfo: HTTP CONNECT code not reset between transfers [8] o Curl_rand: Use a fake entropy for debug builds when CURL_ENTROPY set o nss: do not abort on connection failure (failing tests 305 and 404) + o nss: make the fallback to SSLv3 work again o This release includes the following known bugs: diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c index 1e41795f2..3613b4042 100644 --- a/lib/vtls/nss.c +++ b/lib/vtls/nss.c @@ -1315,6 +1315,7 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver, switch (data->set.ssl.version) { default: case CURL_SSLVERSION_DEFAULT: + sslver->min = SSL_LIBRARY_VERSION_3_0; if(data->state.ssl_connect_retry) { infof(data, "TLS disabled due to previous handshake failure\n"); sslver->max = SSL_LIBRARY_VERSION_3_0; @@ -1323,7 +1324,6 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver, /* intentional fall-through to default to highest TLS version if possible */ case CURL_SSLVERSION_TLSv1: - sslver->min = SSL_LIBRARY_VERSION_TLS_1_0; #ifdef SSL_LIBRARY_VERSION_TLS_1_2 sslver->max = SSL_LIBRARY_VERSION_TLS_1_2; #elif defined SSL_LIBRARY_VERSION_TLS_1_1 @@ -1399,7 +1399,7 @@ static CURLcode nss_fail_connect(struct ssl_connect_data *connssl, if(connssl->handle && (SSL_VersionRangeGet(connssl->handle, &sslver) == SECSuccess) && (sslver.min == SSL_LIBRARY_VERSION_3_0) - && (sslver.max == SSL_LIBRARY_VERSION_TLS_1_0) + && (sslver.max != SSL_LIBRARY_VERSION_3_0) && isTLSIntoleranceError(err)) { /* schedule reconnect through Curl_retry_request() */ data->state.ssl_connect_retry = TRUE; @@ -1437,7 +1437,7 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) CURLcode curlerr; SSLVersionRange sslver = { - SSL_LIBRARY_VERSION_3_0, /* min */ + SSL_LIBRARY_VERSION_TLS_1_0, /* min */ SSL_LIBRARY_VERSION_TLS_1_0 /* max */ }; |