diff options
author | Kamil Dudka <kdudka@redhat.com> | 2013-11-25 16:03:52 +0100 |
---|---|---|
committer | Kamil Dudka <kdudka@redhat.com> | 2013-12-02 15:00:13 +0100 |
commit | 30e7e7552ba4397896ecac82ea04f38d52c4cc8f (patch) | |
tree | c03028c15ef7524af0080315f512600b51be87e7 /lib | |
parent | f58f843f66fa6ce7902867f5f24593aef5e56dd3 (diff) |
nss: use a better API for controlling SSL version
This change introduces a dependency on NSS 3.14+.
Diffstat (limited to 'lib')
-rw-r--r-- | lib/nss.c | 40 |
1 files changed, 19 insertions, 21 deletions
@@ -1215,9 +1215,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) { PRErrorCode err = 0; PRFileDesc *model = NULL; - PRBool ssl2 = PR_FALSE; - PRBool ssl3 = PR_FALSE; - PRBool tlsv1 = PR_FALSE; + SSLVersionRange sslver; PRBool ssl_no_cache; PRBool ssl_cbc_random_iv; struct SessionHandle *data = conn->data; @@ -1292,20 +1290,25 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) switch (data->set.ssl.version) { default: case CURL_SSLVERSION_DEFAULT: - ssl3 = PR_TRUE; - if(data->state.ssl_connect_retry) + sslver.min = SSL_LIBRARY_VERSION_3_0; + if(data->state.ssl_connect_retry) { infof(data, "TLS disabled due to previous handshake failure\n"); + sslver.max = SSL_LIBRARY_VERSION_3_0; + } else - tlsv1 = PR_TRUE; + sslver.max = SSL_LIBRARY_VERSION_TLS_1_0; break; case CURL_SSLVERSION_TLSv1: - tlsv1 = PR_TRUE; + sslver.min = SSL_LIBRARY_VERSION_TLS_1_0; + sslver.max = SSL_LIBRARY_VERSION_TLS_1_0; break; case CURL_SSLVERSION_SSLv2: - ssl2 = PR_TRUE; + sslver.min = SSL_LIBRARY_VERSION_2; + sslver.max = SSL_LIBRARY_VERSION_2; break; case CURL_SSLVERSION_SSLv3: - ssl3 = PR_TRUE; + sslver.min = SSL_LIBRARY_VERSION_3_0; + sslver.max = SSL_LIBRARY_VERSION_3_0; break; case CURL_SSLVERSION_TLSv1_0: case CURL_SSLVERSION_TLSv1_1: @@ -1315,14 +1318,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) goto error; } - if(SSL_OptionSet(model, SSL_ENABLE_SSL2, ssl2) != SECSuccess) - goto error; - if(SSL_OptionSet(model, SSL_ENABLE_SSL3, ssl3) != SECSuccess) - goto error; - if(SSL_OptionSet(model, SSL_ENABLE_TLS, tlsv1) != SECSuccess) - goto error; - - if(SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, ssl2) != SECSuccess) + if(SSL_VersionRangeSet(model, &sslver) != SECSuccess) goto error; ssl_cbc_random_iv = !data->set.ssl_enable_beast; @@ -1508,11 +1504,13 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) if(model) PR_Close(model); - /* cleanup on connection failure */ - Curl_llist_destroy(connssl->obj_list, NULL); - connssl->obj_list = NULL; + /* cleanup on connection failure */ + Curl_llist_destroy(connssl->obj_list, NULL); + connssl->obj_list = NULL; - if(ssl3 && tlsv1 && isTLSIntoleranceError(err)) { + if((sslver.min == SSL_LIBRARY_VERSION_3_0) + && (sslver.max == SSL_LIBRARY_VERSION_TLS_1_0) + && isTLSIntoleranceError(err)) { /* schedule reconnect through Curl_retry_request() */ data->state.ssl_connect_retry = TRUE; infof(data, "Error in TLS handshake, trying SSLv3...\n"); |