diff options
| author | Kamil Dudka <kdudka@redhat.com> | 2012-02-08 13:36:36 +0100 |
|---|---|---|
| committer | Kamil Dudka <kdudka@redhat.com> | 2012-02-09 23:25:55 +0100 |
| commit | ebf31389927dd1f514c0a7092a6ba52ad003ad95 (patch) | |
| tree | 0f5ef7cc517a70c2714f13c804fe49dc74efaafe /lib/nss.c | |
| parent | 8ef8a2b5ac66cf93e478b18abf69700237e70e52 (diff) | |
nss: add support for the CURLSSLOPT_ALLOW_BEAST option
... and fix some typos from the 62d15f1 commit.
Diffstat (limited to 'lib/nss.c')
| -rw-r--r-- | lib/nss.c | 13 |
1 files changed, 13 insertions, 0 deletions
@@ -1158,6 +1158,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) PRBool ssl3 = PR_FALSE; PRBool tlsv1 = PR_FALSE; PRBool ssl_no_cache; + PRBool ssl_cbc_random_iv; struct SessionHandle *data = conn->data; curl_socket_t sockfd = conn->sock[sockindex]; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; @@ -1266,6 +1267,18 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) if(SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, ssl2) != SECSuccess) goto error; + ssl_cbc_random_iv = !data->set.ssl_enable_beast; +#ifdef SSL_CBC_RANDOM_IV + /* unless the user explicitly asks to allow the protocol vulnerability, we + use the work-around */ + if(SSL_OptionSet(model, SSL_CBC_RANDOM_IV, ssl_cbc_random_iv) != SECSuccess) + infof(data, "warning: failed to set SSL_CBC_RANDOM_IV = %d\n", + ssl_cbc_random_iv); +#else + if(ssl_cbc_random_iv) + infof(data, "warning: support for SSL_CBC_RANDOM_IV not compiled in\n"); +#endif + /* reset the flag to avoid an infinite loop */ data->state.ssl_connect_retry = FALSE; |