aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--CHANGES5
-rw-r--r--RELEASE-NOTES4
-rw-r--r--lib/nss.c23
3 files changed, 31 insertions, 1 deletions
diff --git a/CHANGES b/CHANGES
index 8c5230532..66b24f719 100644
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,11 @@
Changelog
+Daniel Stenberg (18 Mar 2009)
+- Kamil Dudka brought a patch that enables 6 additional crypto algorithms when
+ NSS is used. These ciphers were added in NSS 3.4 and require to be enabled
+ explicitly.
+
Daniel Stenberg (13 Mar 2009)
- Use libssh2_version() to present the libssh2 version in case the libssh2
library is found to support it.
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 6323e36c2..b27798696 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -22,6 +22,7 @@ This release includes the following bugfixes:
o curl_easy_duphandle() failed to duplicate cookies at times
o missing TELNET timeout support in Windows builds
o missing Curl_read() and write callback result checking in TELNET transfers
+ o more ciphers enabled in libcurl built to use NSS
This release includes the following known bugs:
@@ -31,6 +32,7 @@ This release would not have looked like this without help, code, reports and
advice from friends like these:
Daniel Fandrich, Yang Tse, David James, Chris Deidun, Bill Egert,
- Andre Guibert de Bruet, Andreas Farber, Frank Hempel, Pierre Brico
+ Andre Guibert de Bruet, Andreas Farber, Frank Hempel, Pierre Brico,
+ Kamil Dudka
Thanks! (and sorry if I forgot to mention someone)
diff --git a/lib/nss.c b/lib/nss.c
index ce9e0da5f..373c28390 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -162,6 +162,18 @@ static const cipher_s cipherlist[] = {
#endif
};
+/* following ciphers are new in NSS 3.4 and not enabled by default, therefor
+ they are enabled explicitly */
+static const int enable_ciphers_by_default[] = {
+ TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
+ TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
+ TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+ TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+ TLS_RSA_WITH_AES_128_CBC_SHA,
+ TLS_RSA_WITH_AES_256_CBC_SHA,
+ SSL_NULL_WITH_NULL_NULL
+};
+
#ifdef HAVE_PK11_CREATEGENERICOBJECT
static const char* pem_library = "libnsspem.so";
#endif
@@ -954,6 +966,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
#endif
char *certDir = NULL;
int curlerr;
+ const int *cipher_to_enable;
curlerr = CURLE_SSL_CONNECT_ERROR;
@@ -1057,6 +1070,16 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
if(SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, ssl2) != SECSuccess)
goto error;
+ /* enable all ciphers from enable_ciphers_by_default */
+ cipher_to_enable = enable_ciphers_by_default;
+ while (SSL_NULL_WITH_NULL_NULL != *cipher_to_enable) {
+ if (SSL_CipherPrefSet(model, *cipher_to_enable, PR_TRUE) != SECSuccess) {
+ curlerr = CURLE_SSL_CIPHER;
+ goto error;
+ }
+ cipher_to_enable++;
+ }
+
if(data->set.ssl.cipher_list) {
if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) {
curlerr = CURLE_SSL_CIPHER;