nss: add support for the CURLSSLOPT_ALLOW_BEAST option

... and fix some typos from the 62d15f1 commit.
author: Kamil Dudka <kdudka@redhat.com> 2012-02-08 13:36:36 +0100
committer: Kamil Dudka <kdudka@redhat.com> 2012-02-09 23:25:55 +0100
commit: ebf31389927dd1f514c0a7092a6ba52ad003ad95 (patch)
tree: 0f5ef7cc517a70c2714f13c804fe49dc74efaafe /lib
parent: 8ef8a2b5ac66cf93e478b18abf69700237e70e52 (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/lib/nss.c b/lib/nss.c
index f63d9718b..8f6da50ea 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -1158,6 +1158,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
   PRBool ssl3 = PR_FALSE;
   PRBool tlsv1 = PR_FALSE;
   PRBool ssl_no_cache;
+  PRBool ssl_cbc_random_iv;
   struct SessionHandle *data = conn->data;
   curl_socket_t sockfd = conn->sock[sockindex];
   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
@@ -1266,6 +1267,18 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
   if(SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, ssl2) != SECSuccess)
     goto error;
 
+  ssl_cbc_random_iv = !data->set.ssl_enable_beast;
+#ifdef SSL_CBC_RANDOM_IV
+  /* unless the user explicitly asks to allow the protocol vulnerability, we
+     use the work-around */
+  if(SSL_OptionSet(model, SSL_CBC_RANDOM_IV, ssl_cbc_random_iv) != SECSuccess)
+    infof(data, "warning: failed to set SSL_CBC_RANDOM_IV = %d\n",
+          ssl_cbc_random_iv);
+#else
+  if(ssl_cbc_random_iv)
+    infof(data, "warning: support for SSL_CBC_RANDOM_IV not compiled in\n");
+#endif
+
   /* reset the flag to avoid an infinite loop */
   data->state.ssl_connect_retry = FALSE;
author	Kamil Dudka <kdudka@redhat.com>	2012-02-08 13:36:36 +0100
committer	Kamil Dudka <kdudka@redhat.com>	2012-02-09 23:25:55 +0100
commit	ebf31389927dd1f514c0a7092a6ba52ad003ad95 (patch)
tree	0f5ef7cc517a70c2714f13c804fe49dc74efaafe /lib
parent	8ef8a2b5ac66cf93e478b18abf69700237e70e52 (diff)