rpms/curl
8
0
Fork 1
Code Issues Pull Requests Releases Activity

- new upstream release, dropped applied patches

Browse Source 
- workaround for broken TLS servers (#525496, #527771)
This commit is contained in:
Kamil Dudka 2009-11-04 14:05:38 +00:00
parent a81083eb90
commit 014599c14b
13 changed files with 162 additions and 423 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.cvsignore
View File

@ -1 +1 @@
curl-7.19.6.tar.lzma
curl-7.19.7.tar.lzma

13
curl-7.15.3-multilib.patch
View File

@ -1,7 +1,8 @@
diff -up curl-7.18.0/curl-config.in.multilib curl-7.18.0/curl-config.in
--- curl-7.18.0/curl-config.in.multilib 2008-01-10 23:14:02.000000000 +0100
+++ curl-7.18.0/curl-config.in 2008-02-16 06:48:14.000000000 +0100
@@ -45,7 +45,6 @@
diff --git a/curl-config.in b/curl-config.in
index 1c439a1..9d675ae 100644
--- a/curl-config.in
+++ b/curl-config.in
@@ -42,7 +42,6 @@ Available values for OPTION include:
--libs library linking information
--prefix curl install prefix
--protocols newline separated list of enabled protocols
@ -9,7 +10,7 @@ diff -up curl-7.18.0/curl-config.in.multilib curl-7.18.0/curl-config.in
--version output version information
--vernum output the version information as a number (hexadecimal)
EOF
@@ -72,7 +71,7 @@
@@ -69,7 +68,7 @@ while test $# -gt 0; do
;;
--cc)
@ -18,7 +19,7 @@ diff -up curl-7.18.0/curl-config.in.multilib curl-7.18.0/curl-config.in
;;
--prefix)
@@ -189,20 +188,7 @@
@@ -130,20 +129,7 @@ while test $# -gt 0; do
;;
--libs)

8
curl-7.16.0-privlibs.patch
View File

@ -1,6 +1,8 @@
--- curl-7.16.2/libcurl.pc.in.privlibs 2007-02-18 10:41:27.000000000 +0100
+++ curl-7.16.2/libcurl.pc.in 2007-04-11 20:02:34.000000000 +0200
@@ -33,6 +33,6 @@
diff --git a/libcurl.pc.in b/libcurl.pc.in
index 25beadd..d7c0805 100644
--- a/libcurl.pc.in
+++ b/libcurl.pc.in
@@ -35,6 +35,6 @@ Name: libcurl
URL: http://curl.haxx.se/
Description: Library to transfer files with ftp, http, etc.
Version: @VERSION@

9
curl-7.19.4-debug.patch
View File

@ -1,7 +1,8 @@
diff -ruNp curl-7.19.4.orig/configure.ac curl-7.19.4/configure.ac
--- curl-7.19.4.orig/configure.ac 2009-02-13 15:25:15.000000000 +0100
+++ curl-7.19.4/configure.ac 2009-04-22 11:56:32.171305420 +0200
@@ -241,7 +241,10 @@ dnl ************************************
diff --git a/configure.ac b/configure.ac
index e575a20..81a7772 100644
--- a/configure.ac
+++ b/configure.ac
@@ -228,7 +228,10 @@ dnl **********************************************************************
CURL_CHECK_COMPILER
CURL_SET_COMPILER_BASIC_OPTS

95
curl-7.19.6-autoconf.patch
View File

@ -1,95 +0,0 @@
diff -rup curl-7.19.6.orig/configure.ac curl-7.19.6/configure.ac
--- curl-7.19.6.orig/configure.ac 2009-09-02 15:46:09.396519773 +0200
+++ curl-7.19.6/configure.ac 2009-09-02 15:56:18.750831674 +0200
@@ -1455,22 +1455,37 @@ if test X"$OPT_LIBSSH2" != Xno; then
case "$OPT_LIBSSH2" in
yes)
dnl --with-libssh2 (without path) used
- PREFIX_LIBSSH2=/usr/local/lib
- LIB_LIBSSH2="$PREFIX_LIBSSH2$libsuff"
+ CURL_CHECK_PKGCONFIG(libssh2)
+
+ if test "$PKGCONFIG" != "no" ; then
+ LIB_SSH2=`$PKGCONFIG --libs-only-l libssh2`
+ LD_SSH2=`$PKGCONFIG --libs-only-L libssh2`
+ CPP_SSH2=`$PKGCONFIG --cflags-only-I libssh2`
+ version=`$PKGCONFIG --modversion libssh2`
+ DIR_SSH2=`echo $LD_SSH2 | $SED -e 's/-L//'`
+ fi
+
;;
off)
dnl no --with-libssh2 option given, just check default places
- PREFIX_LIBSSH2=
;;
*)
dnl use the given --with-libssh2 spot
- PREFIX_LIBSSH2=$OPT_LIBSSH2
- LIB_LIBSSH2="$PREFIX_LIBSSH2/lib$libsuff"
- LDFLAGS="$LDFLAGS -L$LIB_LIBSSH2"
- CPPFLAGS="$CPPFLAGS -I$PREFIX_LIBSSH2/include"
+ PREFIX_SSH2=$OPT_LIBSSH2
;;
esac
+ dnl if given with a prefix, we set -L and -I based on that
+ if test -n "$PREFIX_SSH2"; then
+ LD_SSH2=-L${PREFIX_SSH2}/lib
+ CPP_SSH2=-I${PREFIX_SSH2}/include
+ DIR_SSH2=${PREFIX_SSH2}/lib
+ fi
+
+ LDFLAGS="$LDFLAGS $LD_SSH2"
+ CPPFLAGS="$CPPFLAGS $CPP_SSH2"
+ LIBS="$LIBS $LIB_SSH2"
+
AC_CHECK_LIB(ssh2, libssh2_channel_open_ex)
AC_CHECK_HEADERS(libssh2.h,
@@ -1494,10 +1509,15 @@ if test X"$OPT_LIBSSH2" != Xno; then
dnl libssh2_version is a post 1.0 addition
AC_CHECK_FUNCS( libssh2_version )
- LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$LIB_LIBSSH2"
+ LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$DIR_SSH2"
export LD_LIBRARY_PATH
- AC_MSG_NOTICE([Added $LIB_LIBSSH2 to LD_LIBRARY_PATH])
+ AC_MSG_NOTICE([Added $DIR_SSH2 to LD_LIBRARY_PATH])
fi
+ else
+ dnl no libssh2, revert back to clean variables
+ LDFLAGS=$CLEANLDFLAGS
+ CPPFLAGS=$CLEANCPPFLAGS
+ LIBS=$CLEANLIBS
fi
fi
@@ -1665,13 +1685,21 @@ if test "$OPENSSL_ENABLED" != "1" -a "$G
addcflags=`$PKGCONFIG --cflags nss`
version=`$PKGCONFIG --modversion nss`
nssprefix=`$PKGCONFIG --variable=prefix nss`
+ else
+ dnl Without pkg-config, we check for nss-config
+
+ check=`nss-config --version 2>/dev/null`
+ if test -n "$check"; then
+ addlib=`nss-config --libs`
+ addcflags=`nss-config --cflags`
+ version=`nss-config --version`
+ nssprefix=`nss-config --prefix`
+ else
+ addlib="-lnss3"
+ addcflags=""
+ version="unknown"
+ fi
fi
- else
- # Without pkg-config, we'll kludge in some defaults
- addlib="-L$OPT_NSS/lib -lssl3 -lsmime3 -lnss3 -lplds4 -lplc4 -lnspr4 -lpthread -ldl"
- addcflags="-I$OPT_NSS/include"
- version="unknown"
- nssprefix=$OPT_NSS
fi
dnl Check for functionPK11_CreateGenericObject
Only in curl-7.19.6.orig: configure.ac.orig

45
curl-7.19.6-nss-cn.patch
View File

@ -1,45 +0,0 @@
diff -rup curl-7.19.6.orig/lib/nss.c curl-7.19.6/lib/nss.c
--- curl-7.19.6.orig/lib/nss.c 2009-08-25 12:27:08.664828503 +0200
+++ curl-7.19.6/lib/nss.c 2009-08-28 11:51:37.764523702 +0200
@@ -591,7 +591,7 @@ static SECStatus BadCertHandler(void *ar
struct connectdata *conn = (struct connectdata *)arg;
PRErrorCode err = PR_GetError();
CERTCertificate *cert = NULL;
- char *subject, *issuer;
+ char *subject, *subject_cn, *issuer;
if(conn->data->set.ssl.certverifyresult!=0)
return success;
@@ -599,6 +599,7 @@ static SECStatus BadCertHandler(void *ar
conn->data->set.ssl.certverifyresult=err;
cert = SSL_PeerCertificate(sock);
subject = CERT_NameToAscii(&cert->subject);
+ subject_cn = CERT_GetCommonName(&cert->subject);
issuer = CERT_NameToAscii(&cert->issuer);
CERT_DestroyCertificate(cert);
@@ -616,12 +617,12 @@ static SECStatus BadCertHandler(void *ar
break;
case SSL_ERROR_BAD_CERT_DOMAIN:
if(conn->data->set.ssl.verifyhost) {
- failf(conn->data, "common name '%s' does not match '%s'",
- subject, conn->host.dispname);
+ failf(conn->data, "SSL: certificate subject name '%s' does not match "
+ "target host name '%s'", subject_cn, conn->host.dispname);
success = SECFailure;
} else {
- infof(conn->data, "warning: common name '%s' does not match '%s'\n",
- subject, conn->host.dispname);
+ infof(conn->data, "warning: SSL: certificate subject name '%s' does not "
+ "match target host name '%s'\n", subject_cn, conn->host.dispname);
}
break;
case SEC_ERROR_EXPIRED_CERTIFICATE:
@@ -645,6 +646,7 @@ static SECStatus BadCertHandler(void *ar
if(success == SECSuccess)
infof(conn->data, "SSL certificate verify ok.\n");
PR_Free(subject);
+ PR_Free(subject_cn);
PR_Free(issuer);
return success;

94
curl-7.19.6-nss-guenter.patch
View File

@ -1,94 +0,0 @@
--- curl-7.19.6/lib/nss.c 2009-09-30 15:29:35.965297742 +0200
+++ /tmp/nss.c 2009-09-30 15:23:05.000000000 +0200
@@ -63,6 +63,7 @@
#include <secitem.h>
#include <secport.h>
#include <certdb.h>
+#include <base64.h>
#include "curl_memory.h"
#include "rawstr.h"
@@ -265,7 +266,7 @@ static int num_enabled_ciphers(void)
*/
static int is_file(const char *filename)
{
- struct stat st;
+ struct_stat st;
if(filename == NULL)
return 0;
@@ -963,26 +964,38 @@ CURLcode Curl_nss_connect(struct connect
/* FIXME. NSS doesn't support multiple databases open at the same time. */
PR_Lock(nss_initlock);
if(!initialized) {
+ struct_stat st;
- certDir = getenv("SSL_DIR"); /* Look in $SSL_DIR */
+ /* First we check if $SSL_DIR points to a valid dir */
+ certDir = getenv("SSL_DIR");
+ if(certDir) {
+ if((stat(certDir, &st) != 0) ||
+ (!S_ISDIR(st.st_mode))) {
+ certDir = NULL;
+ }
+ }
+ /* Now we check if the default location is a valid dir */
if(!certDir) {
- struct stat st;
-
- if(stat(SSL_DIR, &st) == 0)
- if(S_ISDIR(st.st_mode)) {
- certDir = (char *)SSL_DIR;
- }
+ if((stat(SSL_DIR, &st) == 0) &&
+ (S_ISDIR(st.st_mode))) {
+ certDir = (char *)SSL_DIR;
+ }
}
if (!NSS_IsInitialized()) {
initialized = 1;
+ infof(conn->data, "Initializing NSS with certpath: %s\n",
+ certDir ? certDir : "none");
if(!certDir) {
rv = NSS_NoDB_Init(NULL);
}
else {
- rv = NSS_Initialize(certDir, NULL, NULL, "secmod.db",
- NSS_INIT_READONLY);
+ char *certpath = PR_smprintf("%s%s",
+ NSS_VersionCheck("3.12.0") ? "sql:" : "",
+ certDir);
+ rv = NSS_Initialize(certpath, "", "", "", NSS_INIT_READONLY);
+ PR_smprintf_free(certpath);
}
if(rv != SECSuccess) {
infof(conn->data, "Unable to initialize NSS database\n");
@@ -1103,7 +1116,7 @@ CURLcode Curl_nss_connect(struct connect
}
}
else if(data->set.ssl.CApath) {
- struct stat st;
+ struct_stat st;
PRDir *dir;
PRDirEntry *entry;
@@ -1282,7 +1295,7 @@ int Curl_nss_send(struct connectdata *co
int rc;
if(data->set.timeout)
- timeout = PR_MillisecondsToInterval(data->set.timeout);
+ timeout = PR_MillisecondsToInterval((PRUint32)data->set.timeout);
else
timeout = PR_MillisecondsToInterval(DEFAULT_CONNECT_TIMEOUT);
@@ -1318,7 +1331,7 @@ ssize_t Curl_nss_recv(struct connectdata
PRInt32 timeout;
if(data->set.timeout)
- timeout = PR_SecondsToInterval(data->set.timeout);
+ timeout = PR_SecondsToInterval((PRUint32)data->set.timeout);
else
timeout = PR_MillisecondsToInterval(DEFAULT_CONNECT_TIMEOUT);

94
curl-7.19.6-nss-warnings.diff
View File

@ -1,94 +0,0 @@
diff -rup curl-7.19.6.orig/lib/nss.c curl-7.19.6/lib/nss.c
--- curl-7.19.6.orig/lib/nss.c 2009-10-14 17:24:48.863839812 +0200
+++ curl-7.19.6/lib/nss.c 2009-10-14 17:25:29.192777766 +0200
@@ -278,6 +278,24 @@ static int is_file(const char *filename)
return 0;
}
+static char *fmt_nickname(char *str, bool *nickname_alloc)
+{
+ char *nickname = NULL;
+ *nickname_alloc = FALSE;
+
+ if(is_file(str)) {
+ char *n = strrchr(str, '/');
+ if(n) {
+ *nickname_alloc = TRUE;
+ n++; /* skip last slash */
+ nickname = aprintf("PEM Token #%d:%s", 1, n);
+ }
+ return nickname;
+ }
+
+ return str;
+}
+
static int nss_load_cert(struct ssl_connect_data *ssl,
const char *filename, PRBool cacert)
{
@@ -795,7 +813,7 @@ static SECStatus SelectClientCert(void *
return SECFailure;
}
- infof(data, "NSS: Client client certificate: %s\n", nickname);
+ infof(data, "NSS: client certificate: %s\n", nickname);
display_cert_info(data, *pRetCert);
return SECSuccess;
}
@@ -1164,24 +1182,10 @@ CURLcode Curl_nss_connect(struct connect
}
if(data->set.str[STRING_CERT]) {
- char *n;
- char *nickname;
bool nickname_alloc = FALSE;
-
- if(is_file(data->set.str[STRING_CERT])) {
- n = strrchr(data->set.str[STRING_CERT], '/');
- if(n) {
- n++; /* skip last slash */
- nickname = aprintf("PEM Token #%d:%s", 1, n);
- if(!nickname)
- return CURLE_OUT_OF_MEMORY;
-
- nickname_alloc = TRUE;
- }
- }
- else {
- nickname = data->set.str[STRING_CERT];
- }
+ char *nickname = fmt_nickname(data->set.str[STRING_CERT], &nickname_alloc);
+ if(!nickname)
+ return CURLE_OUT_OF_MEMORY;
if(!cert_stuff(conn, sockindex, data->set.str[STRING_CERT],
data->set.str[STRING_KEY])) {
@@ -1240,23 +1244,13 @@ CURLcode Curl_nss_connect(struct connect
display_conn_info(conn, connssl->handle);
if (data->set.str[STRING_SSL_ISSUERCERT]) {
- char *n;
- char *nickname;
- bool nickname_alloc = FALSE;
SECStatus ret;
+ bool nickname_alloc = FALSE;
+ char *nickname = fmt_nickname(data->set.str[STRING_SSL_ISSUERCERT],
+ &nickname_alloc);
- if(is_file(data->set.str[STRING_SSL_ISSUERCERT])) {
- n = strrchr(data->set.str[STRING_SSL_ISSUERCERT], '/');
- if (n) {
- n++; /* skip last slash */
- nickname = aprintf("PEM Token #%d:%s", 1, n);
- if(!nickname)
- return CURLE_OUT_OF_MEMORY;
- nickname_alloc = TRUE;
- }
- }
- else
- nickname = data->set.str[STRING_SSL_ISSUERCERT];
+ if(!nickname)
+ return CURLE_OUT_OF_MEMORY;
ret = check_issuer_cert(connssl->handle, nickname);

54
curl-7.19.6-verifyhost.patch
View File

@ -1,54 +0,0 @@
diff -rup curl-7.19.6.orig/lib/nss.c curl-7.19.6/lib/nss.c
--- curl-7.19.6.orig/lib/nss.c 2009-08-14 11:14:45.423733097 +0200
+++ curl-7.19.6/lib/nss.c 2009-08-14 11:15:04.142733360 +0200
@@ -615,16 +615,26 @@ static SECStatus BadCertHandler(void *ar
issuer);
break;
case SSL_ERROR_BAD_CERT_DOMAIN:
- if(conn->data->set.ssl.verifypeer)
+ if(conn->data->set.ssl.verifyhost) {
+ failf(conn->data, "common name '%s' does not match '%s'",
+ subject, conn->host.dispname);
success = SECFailure;
- infof(conn->data, "common name: %s (does not match '%s')\n",
- subject, conn->host.dispname);
+ } else {
+ infof(conn->data, "warning: common name '%s' does not match '%s'\n",
+ subject, conn->host.dispname);
+ }
break;
case SEC_ERROR_EXPIRED_CERTIFICATE:
if(conn->data->set.ssl.verifypeer)
success = SECFailure;
infof(conn->data, "Remote Certificate has expired.\n");
break;
+ case SEC_ERROR_UNKNOWN_ISSUER:
+ if(conn->data->set.ssl.verifypeer)
+ success = SECFailure;
+ infof(conn->data, "Peer's certificate issuer is not recognized: '%s'\n",
+ issuer);
+ break;
default:
if(conn->data->set.ssl.verifypeer)
success = SECFailure;
@@ -1067,6 +1077,9 @@ CURLcode Curl_nss_connect(struct connect
}
}
+ if(data->set.ssl.verifyhost == 1)
+ infof(data, "warning: ignoring unsupported value (1) of ssl.verifyhost\n");
+
data->set.ssl.certverifyresult=0; /* not checked yet */
if(SSL_BadCertHook(model, (SSLBadCertHandler) BadCertHandler, conn)
!= SECSuccess) {
@@ -1200,7 +1213,9 @@ CURLcode Curl_nss_connect(struct connect
if(SSL_ForceHandshakeWithTimeout(connssl->handle,
PR_SecondsToInterval(HANDSHAKE_TIMEOUT))
!= SECSuccess) {
- if(conn->data->set.ssl.certverifyresult!=0)
+ if(conn->data->set.ssl.certverifyresult == SSL_ERROR_BAD_CERT_DOMAIN)
+ curlerr = CURLE_PEER_FAILED_VERIFICATION;
+ else if(conn->data->set.ssl.certverifyresult!=0)
curlerr = CURLE_SSL_CACERT;
goto error;
}

18
curl-7.19.7-nss-nonblock.diff → curl-7.19.7-nss-nonblock.patch
View File

@ -1,5 +1,7 @@
--- curl-7.19.6.orig/lib/nss.c 2009-10-07 21:41:55.213109928 +0200
+++ curl-7.19.6/lib/nss.c 2009-10-08 19:48:05.379110326 +0200
diff --git a/lib/nss.c b/lib/nss.c
index ea904af..6e8d242 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -83,8 +83,6 @@ PRLock * nss_initlock = NULL;
volatile int initialized = 0;
@ -9,7 +11,7 @@
typedef struct {
const char *name;
int num;
@@ -947,6 +945,8 @@ CURLcode Curl_nss_connect(struct connect
@@ -970,6 +968,8 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
char *certDir = NULL;
int curlerr;
const int *cipher_to_enable;
@ -18,7 +20,7 @@
curlerr = CURLE_SSL_CONNECT_ERROR;
@@ -1040,6 +1040,12 @@ CURLcode Curl_nss_connect(struct connect
@@ -1063,6 +1063,12 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
goto error;
model = SSL_ImportFD(NULL, model);
@ -31,7 +33,7 @@
if(SSL_OptionSet(model, SSL_SECURITY, PR_TRUE) != SECSuccess)
goto error;
if(SSL_OptionSet(model, SSL_HANDSHAKE_AS_SERVER, PR_FALSE) != SECSuccess)
@@ -1225,9 +1231,8 @@ CURLcode Curl_nss_connect(struct connect
@@ -1234,9 +1240,8 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
SSL_SetURL(connssl->handle, conn->host.name);
/* Force the handshake now */
@ -43,7 +45,7 @@
if(conn->data->set.ssl.certverifyresult == SSL_ERROR_BAD_CERT_DOMAIN)
curlerr = CURLE_PEER_FAILED_VERIFICATION;
else if(conn->data->set.ssl.certverifyresult!=0)
@@ -1289,27 +1294,12 @@ int Curl_nss_send(struct connectdata *co
@@ -1288,27 +1293,12 @@ int Curl_nss_send(struct connectdata *conn, /* connection data */
const void *mem, /* send this data */
size_t len) /* amount to write */
{
@ -73,7 +75,7 @@
return -1;
}
return rc; /* number of bytes */
@@ -1327,15 +1317,8 @@ ssize_t Curl_nss_recv(struct connectdata
@@ -1326,15 +1316,8 @@ ssize_t Curl_nss_recv(struct connectdata * conn, /* connection data */
bool * wouldblock)
{
ssize_t nread;
@ -90,7 +92,7 @@
*wouldblock = FALSE;
if(nread < 0) {
/* failed SSL read */
@@ -1345,10 +1328,6 @@ ssize_t Curl_nss_recv(struct connectdata
@@ -1344,10 +1327,6 @@ ssize_t Curl_nss_recv(struct connectdata * conn, /* connection data */
*wouldblock = TRUE;
return -1; /* basically EWOULDBLOCK */
}

123
curl-7.19.7-ssl-retry.patch Normal file
View File

@ -0,0 +1,123 @@
diff --git a/lib/nss.c b/lib/nss.c
index 6e8d242..93dfe16 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -844,6 +844,36 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock,
return SECSuccess;
}
+/* This function is supposed to decide, which error codes should be used
+ * to conclude server is TLS intolerant.
+ *
+ * taken from xulrunner - nsNSSIOLayer.cpp
+ */
+static PRBool
+isTLSIntoleranceError(PRInt32 err)
+{
+ switch (err) {
+ case SSL_ERROR_BAD_MAC_ALERT:
+ case SSL_ERROR_BAD_MAC_READ:
+ case SSL_ERROR_HANDSHAKE_FAILURE_ALERT:
+ case SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT:
+ case SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE:
+ case SSL_ERROR_ILLEGAL_PARAMETER_ALERT:
+ case SSL_ERROR_NO_CYPHER_OVERLAP:
+ case SSL_ERROR_BAD_SERVER:
+ case SSL_ERROR_BAD_BLOCK_PADDING:
+ case SSL_ERROR_UNSUPPORTED_VERSION:
+ case SSL_ERROR_PROTOCOL_VERSION_ALERT:
+ case SSL_ERROR_RX_MALFORMED_FINISHED:
+ case SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE:
+ case SSL_ERROR_DECODE_ERROR_ALERT:
+ case SSL_ERROR_RX_UNKNOWN_ALERT:
+ return PR_TRUE;
+ default:
+ return PR_FALSE;
+ }
+}
+
/**
* Global SSL init
*
@@ -1081,7 +1111,11 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
switch (data->set.ssl.version) {
default:
case CURL_SSLVERSION_DEFAULT:
- ssl3 = tlsv1 = PR_TRUE;
+ ssl3 = PR_TRUE;
+ if (data->state.ssl_connect_retry)
+ infof(data, "TLS disabled due to previous handshake failure\n");
+ else
+ tlsv1 = PR_TRUE;
break;
case CURL_SSLVERSION_TLSv1:
tlsv1 = PR_TRUE;
@@ -1101,9 +1135,13 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
if(SSL_OptionSet(model, SSL_ENABLE_TLS, tlsv1) != SECSuccess)
goto error;
- if(SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, ssl2) != SECSuccess)
+ if(SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, ssl2
+ || data->state.ssl_connect_retry) != SECSuccess)
goto error;
+ /* reset the flag to avoid an infinite loop */
+ data->state.ssl_connect_retry = FALSE;
+
/* enable all ciphers from enable_ciphers_by_default */
cipher_to_enable = enable_ciphers_by_default;
while (SSL_NULL_WITH_NULL_NULL != *cipher_to_enable) {
@@ -1280,10 +1318,21 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
return CURLE_OK;
error:
+ /* reset the flag to avoid an infinite loop */
+ data->state.ssl_connect_retry = FALSE;
+
err = PR_GetError();
infof(data, "NSS error %d\n", err);
if(model)
PR_Close(model);
+
+ if (ssl3 && tlsv1 && isTLSIntoleranceError(err)) {
+ /* schedule reconnect through Curl_retry_request() */
+ data->state.ssl_connect_retry = TRUE;
+ infof(data, "Error in TLS handshake, trying SSLv3...\n");
+ return CURLE_OK;
+ }
+
return curlerr;
}
diff --git a/lib/transfer.c b/lib/transfer.c
index 1f69706..c3a1976 100644
--- a/lib/transfer.c
+++ b/lib/transfer.c
@@ -2572,10 +2572,11 @@ CURLcode Curl_retry_request(struct connectdata *conn,
if(data->set.upload && !(conn->protocol&PROT_HTTP))
return CURLE_OK;
- if((data->req.bytecount +
+ if(/* workaround for broken TLS servers */ data->state.ssl_connect_retry ||
+ ((data->req.bytecount +
data->req.headerbytecount == 0) &&
conn->bits.reuse &&
- !data->set.opt_no_body) {
+ !data->set.opt_no_body)) {
/* We got no data, we attempted to re-use a connection and yet we want a
"body". This might happen if the connection was left alive when we were
done using it before, but that was closed when we wanted to read from
diff --git a/lib/urldata.h b/lib/urldata.h
index b9e5c24..b181e3f 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -1331,6 +1331,9 @@ struct UrlState {
} proto;
/* current user of this SessionHandle instance, or NULL */
struct connectdata *current_conn;
+
+ /* if true, force SSL connection retry (workaround for certain servers) */
+ bool ssl_connect_retry;
};

28
curl.spec
View File

@ -1,18 +1,13 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl
Version: 7.19.6
Release: 13%{?dist}
Version: 7.19.7
Release: 1%{?dist}
License: MIT
Group: Applications/Internet
Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
Source2: curlbuild.h
Patch1: curl-7.19.6-verifyhost.patch
Patch2: curl-7.19.6-nss-cn.patch
Patch3: curl-7.19.6-poll.patch
Patch4: curl-7.19.6-autoconf.patch
Patch5: curl-7.19.6-nss-guenter.patch
Patch6: curl-7.19.6-nss-warnings.diff
Patch7: curl-7.19.7-nss-nonblock.diff
Patch1: curl-7.19.7-nss-nonblock.patch
Patch2: curl-7.19.7-ssl-retry.patch
Patch101: curl-7.15.3-multilib.patch
Patch102: curl-7.16.0-privlibs.patch
Patch103: curl-7.19.4-debug.patch
@ -74,21 +69,15 @@ use cURL's capabilities internally.
%prep
%setup -q
# upstream patches (already applied)
# upstream patches (not yet applied)
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
# upstream patches (not yet applied)
%patch7 -p1
# Fedora patches
%patch101 -p1
%patch102 -p1
%patch103 -p1
autoconf
# Convert docs to UTF-8
for f in CHANGES README; do
@ -97,7 +86,6 @@ for f in CHANGES README; do
done
%build
autoconf
%configure --without-ssl --with-nss --enable-ipv6 \
--with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt \
--with-gssapi=%{_prefix}/kerberos --with-libidn \
@ -172,6 +160,10 @@ rm -rf $RPM_BUILD_ROOT
%{_datadir}/aclocal/libcurl.m4
%changelog
* Wed Nov 04 2009 Kamil Dudka <kdudka@redhat.com> 7.19.7-1
- new upstream release, dropped applied patches
- workaround for broken TLS servers (#525496, #527771)
* Wed Oct 14 2009 Kamil Dudka <kdudka@redhat.com> 7.19.6-13
- fix timeout issues and gcc warnings within lib/nss.c

2
sources
View File

@ -1 +1 @@
9351ad8ee0bea75015dfa9ec6248e055 curl-7.19.6.tar.lzma
26124caef7359de6338172abafa98dc0 curl-7.19.7.tar.lzma