diff options
-rw-r--r-- | CHANGES | 5 | ||||
-rw-r--r-- | RELEASE-NOTES | 4 | ||||
-rw-r--r-- | lib/nss.c | 23 |
3 files changed, 31 insertions, 1 deletions
@@ -6,6 +6,11 @@ Changelog +Daniel Stenberg (18 Mar 2009) +- Kamil Dudka brought a patch that enables 6 additional crypto algorithms when + NSS is used. These ciphers were added in NSS 3.4 and require to be enabled + explicitly. + Daniel Stenberg (13 Mar 2009) - Use libssh2_version() to present the libssh2 version in case the libssh2 library is found to support it. diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 6323e36c2..b27798696 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -22,6 +22,7 @@ This release includes the following bugfixes: o curl_easy_duphandle() failed to duplicate cookies at times o missing TELNET timeout support in Windows builds o missing Curl_read() and write callback result checking in TELNET transfers + o more ciphers enabled in libcurl built to use NSS This release includes the following known bugs: @@ -31,6 +32,7 @@ This release would not have looked like this without help, code, reports and advice from friends like these: Daniel Fandrich, Yang Tse, David James, Chris Deidun, Bill Egert, - Andre Guibert de Bruet, Andreas Farber, Frank Hempel, Pierre Brico + Andre Guibert de Bruet, Andreas Farber, Frank Hempel, Pierre Brico, + Kamil Dudka Thanks! (and sorry if I forgot to mention someone) @@ -162,6 +162,18 @@ static const cipher_s cipherlist[] = { #endif }; +/* following ciphers are new in NSS 3.4 and not enabled by default, therefor + they are enabled explicitly */ +static const int enable_ciphers_by_default[] = { + TLS_DHE_DSS_WITH_AES_128_CBC_SHA, + TLS_DHE_DSS_WITH_AES_256_CBC_SHA, + TLS_DHE_RSA_WITH_AES_128_CBC_SHA, + TLS_DHE_RSA_WITH_AES_256_CBC_SHA, + TLS_RSA_WITH_AES_128_CBC_SHA, + TLS_RSA_WITH_AES_256_CBC_SHA, + SSL_NULL_WITH_NULL_NULL +}; + #ifdef HAVE_PK11_CREATEGENERICOBJECT static const char* pem_library = "libnsspem.so"; #endif @@ -954,6 +966,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) #endif char *certDir = NULL; int curlerr; + const int *cipher_to_enable; curlerr = CURLE_SSL_CONNECT_ERROR; @@ -1057,6 +1070,16 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) if(SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, ssl2) != SECSuccess) goto error; + /* enable all ciphers from enable_ciphers_by_default */ + cipher_to_enable = enable_ciphers_by_default; + while (SSL_NULL_WITH_NULL_NULL != *cipher_to_enable) { + if (SSL_CipherPrefSet(model, *cipher_to_enable, PR_TRUE) != SECSuccess) { + curlerr = CURLE_SSL_CIPHER; + goto error; + } + cipher_to_enable++; + } + if(data->set.ssl.cipher_list) { if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) { curlerr = CURLE_SSL_CIPHER; |