From 3f430c9c3a4e3748bc075b633a9324c5037c9fe7 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 29 Oct 2014 14:14:23 +0100 Subject: nss: drop the code for libcurl-level downgrade to SSLv3 This code was already deactivated by commit ec783dc142129d3860e542b443caaa78a6172d56. --- lib/vtls/nss.c | 49 ------------------------------------------------- 1 file changed, 49 deletions(-) (limited to 'lib/vtls') diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c index d7dd98055..8161b434d 100644 --- a/lib/vtls/nss.c +++ b/lib/vtls/nss.c @@ -935,36 +935,6 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock, return SECSuccess; } -/* This function is supposed to decide, which error codes should be used - * to conclude server is TLS intolerant. - * - * taken from xulrunner - nsNSSIOLayer.cpp - */ -static PRBool -isTLSIntoleranceError(PRInt32 err) -{ - switch (err) { - case SSL_ERROR_BAD_MAC_ALERT: - case SSL_ERROR_BAD_MAC_READ: - case SSL_ERROR_HANDSHAKE_FAILURE_ALERT: - case SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT: - case SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE: - case SSL_ERROR_ILLEGAL_PARAMETER_ALERT: - case SSL_ERROR_NO_CYPHER_OVERLAP: - case SSL_ERROR_BAD_SERVER: - case SSL_ERROR_BAD_BLOCK_PADDING: - case SSL_ERROR_UNSUPPORTED_VERSION: - case SSL_ERROR_PROTOCOL_VERSION_ALERT: - case SSL_ERROR_RX_MALFORMED_FINISHED: - case SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE: - case SSL_ERROR_DECODE_ERROR_ALERT: - case SSL_ERROR_RX_UNKNOWN_ALERT: - return PR_TRUE; - default: - return PR_FALSE; - } -} - /* update blocking direction in case of PR_WOULD_BLOCK_ERROR */ static void nss_update_connecting_state(ssl_connect_state state, void *secret) { @@ -1396,12 +1366,8 @@ static CURLcode nss_fail_connect(struct ssl_connect_data *connssl, struct SessionHandle *data, CURLcode curlerr) { - SSLVersionRange sslver; PRErrorCode err = 0; - /* reset the flag to avoid an infinite loop */ - data->state.ssl_connect_retry = FALSE; - if(is_nss_error(curlerr)) { /* read NSPR error code */ err = PR_GetError(); @@ -1418,18 +1384,6 @@ static CURLcode nss_fail_connect(struct ssl_connect_data *connssl, /* cleanup on connection failure */ Curl_llist_destroy(connssl->obj_list, NULL); connssl->obj_list = NULL; - - if(connssl->handle - && (SSL_VersionRangeGet(connssl->handle, &sslver) == SECSuccess) - && (sslver.min == SSL_LIBRARY_VERSION_3_0) - && (sslver.max != SSL_LIBRARY_VERSION_3_0) - && isTLSIntoleranceError(err)) { - /* schedule reconnect through Curl_retry_request() */ - data->state.ssl_connect_retry = TRUE; - infof(data, "Error in TLS handshake, trying SSLv3...\n"); - return CURLE_OK; - } - return curlerr; } @@ -1550,9 +1504,6 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) infof(data, "warning: support for SSL_CBC_RANDOM_IV not compiled in\n"); #endif - /* reset the flag to avoid an infinite loop */ - data->state.ssl_connect_retry = FALSE; - if(data->set.ssl.cipher_list) { if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) { curlerr = CURLE_SSL_CIPHER; -- cgit v1.2.3