rpms/curl
6
0
Fork 1
Code Issues Pull Requests Releases Activity
5fc861594c
curl/0004-curl-7.33.0-7fc9325a.patch
Kamil Dudka 5fc861594c tool_metalink: do not use HAVE_NSS_INITCONTEXT 
... no longer provided by the configure script

[upstream commit ff9b66a8d4abb2fd92b12ae8ae3e4e7f39856af7]
2013-12-02 17:07:32 +01:00

1179 lines
39 KiB
Diff
Raw Blame History

From 1763d30fc3febc79da0e2e6fb2d608b46fc2d6c3 Mon Sep 17 00:00:00 2001
From: Gergely Nagy <ngg@tresorit.com>
Date: Thu, 19 Sep 2013 15:17:13 +0200
Subject: [PATCH 1/9] SSL: protocol version can be specified more precisely
CURL_SSLVERSION_TLSv1_0, CURL_SSLVERSION_TLSv1_1,
CURL_SSLVERSION_TLSv1_2 enum values are added to force exact TLS version
(CURL_SSLVERSION_TLSv1 means TLS 1.x).
axTLS:
axTLS only supports TLS 1.0 and 1.1 but it cannot be set that only one
of these should be used, so we don't allow the new enum values.
darwinssl:
Added support for the new enum values.
SChannel:
Added support for the new enum values.
CyaSSL:
Added support for the new enum values.
Bug: The original CURL_SSLVERSION_TLSv1 value enables only TLS 1.0 (it
did the same before this commit), because CyaSSL cannot be configured to
use TLS 1.0-1.2.
GSKit:
GSKit doesn't seem to support TLS 1.1 and TLS 1.2, so we do not allow
those values.
Bugfix: There was a typo that caused wrong SSL versions to be passed to
GSKit.
NSS:
TLS minor version cannot be set, so we don't allow the new enum values.
QsoSSL:
TLS minor version cannot be set, so we don't allow the new enum values.
OpenSSL:
Added support for the new enum values.
Bugfix: The original CURL_SSLVERSION_TLSv1 value enabled only TLS 1.0,
now it enables 1.0-1.2.
Command-line tool:
Added command line options for the new values.
[upstream commit ad34a2d5c87c7f4b14e8dded34569395de0d8c5b]
---
docs/libcurl/curl_easy_setopt.3 | 8 +++++-
docs/libcurl/symbols-in-versions | 3 ++
include/curl/curl.h | 5 +++-
lib/axtls.c | 3 +-
lib/curl_darwinssl.c | 34 +++++++++++++++++++++++++
lib/curl_schannel.c | 9 ++++++
lib/cyassl.c | 13 +++++++++-
lib/gskit.c | 11 +++++++-
lib/nss.c | 6 ++++
lib/qssl.c | 6 ++++
lib/ssluse.c | 51 +++++++++++++++++++++++++++----------
packages/OS400/curl.inc.in | 6 ++++
src/tool_getparam.c | 25 ++++++++++++++++--
src/tool_setopt.c | 3 ++
14 files changed, 161 insertions(+), 22 deletions(-)
diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3
index 6c92883..77fc550 100644
--- a/docs/libcurl/curl_easy_setopt.3
+++ b/docs/libcurl/curl_easy_setopt.3
@@ -2417,11 +2417,17 @@ The default action. This will attempt to figure out the remote SSL protocol
version, i.e. either SSLv3 or TLSv1 (but not SSLv2, which became disabled
by default with 7.18.1).
.IP CURL_SSLVERSION_TLSv1
-Force TLSv1
+Force TLSv1.x
.IP CURL_SSLVERSION_SSLv2
Force SSLv2
.IP CURL_SSLVERSION_SSLv3
Force SSLv3
+.IP CURL_SSLVERSION_TLSv1_0
+Force TLSv1.0
+.IP CURL_SSLVERSION_TLSv1_1
+Force TLSv1.1
+.IP CURL_SSLVERSION_TLSv1_2
+Force TLSv1.2
.RE
.IP CURLOPT_SSL_VERIFYPEER
Pass a long as parameter. By default, curl assumes a value of 1.
diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
index 7c362cd..35b0878 100644
--- a/docs/libcurl/symbols-in-versions
+++ b/docs/libcurl/symbols-in-versions
@@ -695,6 +695,9 @@ CURL_SSLVERSION_DEFAULT 7.9.2
CURL_SSLVERSION_SSLv2 7.9.2
CURL_SSLVERSION_SSLv3 7.9.2
CURL_SSLVERSION_TLSv1 7.9.2
+CURL_SSLVERSION_TLSv1_0 7.33.0
+CURL_SSLVERSION_TLSv1_1 7.33.0
+CURL_SSLVERSION_TLSv1_2 7.33.0
CURL_TIMECOND_IFMODSINCE 7.9.7
CURL_TIMECOND_IFUNMODSINCE 7.9.7
CURL_TIMECOND_LASTMOD 7.9.7
diff --git a/include/curl/curl.h b/include/curl/curl.h
index 4e09cf7..e3c6bf2 100644
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@@ -1659,9 +1659,12 @@ enum CURL_NETRC_OPTION {
enum {
CURL_SSLVERSION_DEFAULT,
- CURL_SSLVERSION_TLSv1,
+ CURL_SSLVERSION_TLSv1, /* TLS 1.x */
CURL_SSLVERSION_SSLv2,
CURL_SSLVERSION_SSLv3,
+ CURL_SSLVERSION_TLSv1_0,
+ CURL_SSLVERSION_TLSv1_1,
+ CURL_SSLVERSION_TLSv1_2,
CURL_SSLVERSION_LAST /* never use, keep last */
};
diff --git a/lib/axtls.c b/lib/axtls.c
index 44e6b93..8c92588 100644
--- a/lib/axtls.c
+++ b/lib/axtls.c
@@ -164,7 +164,8 @@ static CURLcode connect_prep(struct connectdata *conn, int sockindex)
case CURL_SSLVERSION_TLSv1:
break;
default:
- failf(data, "axTLS only supports TLSv1");
+ failf(data, "axTLS only supports TLS 1.0 and 1.1, "
+ "and it cannot be specified which one to use");
return CURLE_SSL_CONNECT_ERROR;
}
diff --git a/lib/curl_darwinssl.c b/lib/curl_darwinssl.c
index 43fe053..4406d0e 100644
--- a/lib/curl_darwinssl.c
+++ b/lib/curl_darwinssl.c
@@ -1056,6 +1056,18 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
(void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol1);
(void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol12);
break;
+ case CURL_SSLVERSION_TLSv1_0:
+ (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol1);
+ (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol1);
+ break;
+ case CURL_SSLVERSION_TLSv1_1:
+ (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol11);
+ (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol11);
+ break;
+ case CURL_SSLVERSION_TLSv1_2:
+ (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol12);
+ (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol12);
+ break;
case CURL_SSLVERSION_SSLv3:
(void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kSSLProtocol3);
(void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kSSLProtocol3);
@@ -1100,6 +1112,21 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
kTLSProtocol12,
true);
break;
+ case CURL_SSLVERSION_TLSv1_0:
+ (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
+ kTLSProtocol1,
+ true);
+ break;
+ case CURL_SSLVERSION_TLSv1_1:
+ (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
+ kTLSProtocol11,
+ true);
+ break;
+ case CURL_SSLVERSION_TLSv1_2:
+ (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
+ kTLSProtocol12,
+ true);
+ break;
case CURL_SSLVERSION_SSLv3:
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
kSSLProtocol3,
@@ -1130,10 +1157,17 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
true);
break;
case CURL_SSLVERSION_TLSv1:
+ case CURL_SSLVERSION_TLSv1_0:
(void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
kTLSProtocol1,
true);
break;
+ case CURL_SSLVERSION_TLSv1_1:
+ failf(data, "Your version of the OS does not support TLSv1.1");
+ return CURLE_SSL_CONNECT_ERROR;
+ case CURL_SSLVERSION_TLSv1_2:
+ failf(data, "Your version of the OS does not support TLSv1.2");
+ return CURLE_SSL_CONNECT_ERROR;
case CURL_SSLVERSION_SSLv2:
err = SSLSetProtocolVersionEnabled(connssl->ssl_ctx,
kSSLProtocol2,
diff --git a/lib/curl_schannel.c b/lib/curl_schannel.c
index 68139db..9a16527 100644
--- a/lib/curl_schannel.c
+++ b/lib/curl_schannel.c
@@ -180,6 +180,15 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
SP_PROT_TLS1_1_CLIENT |
SP_PROT_TLS1_2_CLIENT;
break;
+ case CURL_SSLVERSION_TLSv1_0:
+ schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_0_CLIENT;
+ break;
+ case CURL_SSLVERSION_TLSv1_1:
+ schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_1_CLIENT;
+ break;
+ case CURL_SSLVERSION_TLSv1_2:
+ schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_2_CLIENT;
+ break;
case CURL_SSLVERSION_SSLv3:
schannel_cred.grbitEnabledProtocols = SP_PROT_SSL3_CLIENT;
break;
diff --git a/lib/cyassl.c b/lib/cyassl.c
index 7c78464..ff11bdd 100644
--- a/lib/cyassl.c
+++ b/lib/cyassl.c
@@ -5,7 +5,7 @@
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
@@ -98,8 +98,19 @@ cyassl_connect_step1(struct connectdata *conn,
req_method = SSLv23_client_method();
break;
case CURL_SSLVERSION_TLSv1:
+ infof(data, "CyaSSL cannot be configured to use TLS 1.0-1.2, "
+ "TLS 1.0 is used exclusively\n");
req_method = TLSv1_client_method();
break;
+ case CURL_SSLVERSION_TLSv1_0:
+ req_method = TLSv1_client_method();
+ break;
+ case CURL_SSLVERSION_TLSv1_1:
+ req_method = TLSv1_1_client_method();
+ break;
+ case CURL_SSLVERSION_TLSv1_2:
+ req_method = TLSv1_2_client_method();
+ break;
case CURL_SSLVERSION_SSLv3:
req_method = SSLv3_client_method();
break;
diff --git a/lib/gskit.c b/lib/gskit.c
index 5cda85b..187c58d 100644
--- a/lib/gskit.c
+++ b/lib/gskit.c
@@ -503,8 +503,17 @@ static CURLcode gskit_connect_step1(struct connectdata * conn, int sockindex)
sni = (char *) NULL;
break;
case CURL_SSLVERSION_TLSv1:
+ case CURL_SSLVERSION_TLSv1_0:
tlsv1enable = true;
break;
+ case CURL_SSLVERSION_TLSv1_1:
+ failf(data, "GSKit doesn't support TLS 1.1!");
+ cc = CURLE_SSL_CONNECT_ERROR;
+ break;
+ case CURL_SSLVERSION_TLSv1_2:
+ failf(data, "GSKit doesn't support TLS 1.2!");
+ cc = CURLE_SSL_CONNECT_ERROR;
+ break;
default: /* CURL_SSLVERSION_DEFAULT. */
sslv3enable = true;
tlsv1enable = true;
@@ -555,7 +564,7 @@ static CURLcode gskit_connect_step1(struct connectdata * conn, int sockindex)
GSK_PROTOCOL_SSLV3_OFF);
if(cc == CURLE_OK)
cc = set_enum(data, connssl->handle, GSK_PROTOCOL_TLSV1,
- sslv3enable? GSK_PROTOCOL_TLSV1_ON:
+ tlsv1enable? GSK_PROTOCOL_TLSV1_ON:
GSK_PROTOCOL_TLSV1_OFF);
if(cc == CURLE_OK)
cc = set_enum(data, connssl->handle, GSK_SERVER_AUTH_TYPE,
diff --git a/lib/nss.c b/lib/nss.c
index 2d4bf9e..34dfbb1 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -1267,6 +1267,12 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
case CURL_SSLVERSION_SSLv3:
ssl3 = PR_TRUE;
break;
+ case CURL_SSLVERSION_TLSv1_0:
+ case CURL_SSLVERSION_TLSv1_1:
+ case CURL_SSLVERSION_TLSv1_2:
+ failf(data, "TLS minor version cannot be set\n");
+ curlerr = CURLE_SSL_CONNECT_ERROR;
+ goto error;
}
if(SSL_OptionSet(model, SSL_ENABLE_SSL2, ssl2) != SECSuccess)
diff --git a/lib/qssl.c b/lib/qssl.c
index b8a8dae..42bf890 100644
--- a/lib/qssl.c
+++ b/lib/qssl.c
@@ -204,6 +204,12 @@ static CURLcode Curl_qsossl_handshake(struct connectdata * conn, int sockindex)
case CURL_SSLVERSION_SSLv3:
h->protocol = SSL_VERSION_3;
break;
+
+ case CURL_SSLVERSION_TLSv1_0:
+ case CURL_SSLVERSION_TLSv1_1:
+ case CURL_SSLVERSION_TLSv1_2:
+ failf(data, "TLS minor version cannot be set");
+ return CURLE_SSL_CONNECT_ERROR;
}
h->peerCert = NULL;
diff --git a/lib/ssluse.c b/lib/ssluse.c
index c747420..84fd737 100644
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@@ -1431,19 +1431,12 @@ ossl_connect_step1(struct connectdata *conn,
switch(data->set.ssl.version) {
default:
case CURL_SSLVERSION_DEFAULT:
-#ifdef USE_TLS_SRP
- if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
- infof(data, "Set version TLSv1 for SRP authorisation\n");
- req_method = TLSv1_client_method() ;
- }
- else
-#endif
- /* we try to figure out version */
- req_method = SSLv23_client_method();
- use_sni(TRUE);
- break;
case CURL_SSLVERSION_TLSv1:
- req_method = TLSv1_client_method();
+ case CURL_SSLVERSION_TLSv1_0:
+ case CURL_SSLVERSION_TLSv1_1:
+ case CURL_SSLVERSION_TLSv1_2:
+ /* it will be handled later with the context options */
+ req_method = SSLv23_client_method();
use_sni(TRUE);
break;
case CURL_SSLVERSION_SSLv2:
@@ -1556,9 +1549,39 @@ ossl_connect_step1(struct connectdata *conn,
ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
#endif
- /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */
- if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT)
+ switch(data->set.ssl.version) {
+ case CURL_SSLVERSION_DEFAULT:
+ ctx_options |= SSL_OP_NO_SSLv2;
+#ifdef USE_TLS_SRP
+ if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
+ infof(data, "Set version TLSv1.x for SRP authorisation\n");
+ ctx_options |= SSL_OP_NO_SSLv3;
+ }
+#endif
+ break;
+ case CURL_SSLVERSION_TLSv1:
+ ctx_options |= SSL_OP_NO_SSLv2;
+ ctx_options |= SSL_OP_NO_SSLv3;
+ break;
+ case CURL_SSLVERSION_TLSv1_0:
ctx_options |= SSL_OP_NO_SSLv2;
+ ctx_options |= SSL_OP_NO_SSLv3;
+ ctx_options |= SSL_OP_NO_TLSv1_1;
+ ctx_options |= SSL_OP_NO_TLSv1_2;
+ break;
+ case CURL_SSLVERSION_TLSv1_1:
+ ctx_options |= SSL_OP_NO_SSLv2;
+ ctx_options |= SSL_OP_NO_SSLv3;
+ ctx_options |= SSL_OP_NO_TLSv1;
+ ctx_options |= SSL_OP_NO_TLSv1_2;
+ break;
+ case CURL_SSLVERSION_TLSv1_2:
+ ctx_options |= SSL_OP_NO_SSLv2;
+ ctx_options |= SSL_OP_NO_SSLv3;
+ ctx_options |= SSL_OP_NO_TLSv1;
+ ctx_options |= SSL_OP_NO_TLSv1_1;
+ break;
+ }
SSL_CTX_set_options(connssl->ctx, ctx_options);
diff --git a/packages/OS400/curl.inc.in b/packages/OS400/curl.inc.in
index 1015843..b14d84f 100644
--- a/packages/OS400/curl.inc.in
+++ b/packages/OS400/curl.inc.in
@@ -228,6 +228,12 @@
d c 2
d CURL_SSLVERSION_SSLv3...
d c 3
+ d CURL_SSLVERSION_TLSv1_0...
+ d c 4
+ d CURL_SSLVERSION_TLSv1_1...
+ d c 5
+ d CURL_SSLVERSION_TLSv1_2...
+ d c 6
*
d CURL_TLSAUTH_NONE...
d c 0
diff --git a/src/tool_getparam.c b/src/tool_getparam.c
index 6a405ff..d0feb71 100644
--- a/src/tool_getparam.c
+++ b/src/tool_getparam.c
@@ -184,6 +184,9 @@ static const struct LongShort aliases[]= {
{"01", "http1.1", FALSE},
{"02", "http2.0", FALSE},
{"1", "tlsv1", FALSE},
+ {"10", "tlsv1.0", FALSE},
+ {"11", "tlsv1.1", FALSE},
+ {"12", "tlsv1.2", FALSE},
{"2", "sslv2", FALSE},
{"3", "sslv3", FALSE},
{"4", "ipv4", FALSE},
@@ -1023,9 +1026,25 @@ ParameterError getparameter(char *flag, /* f or -long-flag */
break;
}
break;
- case '1':
- /* TLS version 1 */
- config->ssl_version = CURL_SSLVERSION_TLSv1;
+ case '1': /* --tlsv1* options */
+ switch(subletter) {
+ case '\0':
+ /* TLS version 1.x */
+ config->ssl_version = CURL_SSLVERSION_TLSv1;
+ break;
+ case '0':
+ /* TLS version 1.0 */
+ config->ssl_version = CURL_SSLVERSION_TLSv1_0;
+ break;
+ case '1':
+ /* TLS version 1.1 */
+ config->ssl_version = CURL_SSLVERSION_TLSv1_1;
+ break;
+ case '2':
+ /* TLS version 1.2 */
+ config->ssl_version = CURL_SSLVERSION_TLSv1_2;
+ break;
+ }
break;
case '2':
/* SSL version 2 */
diff --git a/src/tool_setopt.c b/src/tool_setopt.c
index cb93e11..f29bcd6 100644
--- a/src/tool_setopt.c
+++ b/src/tool_setopt.c
@@ -78,6 +78,9 @@ const NameValue setopt_nv_CURL_SSLVERSION[] = {
NV(CURL_SSLVERSION_TLSv1),
NV(CURL_SSLVERSION_SSLv2),
NV(CURL_SSLVERSION_SSLv3),
+ NV(CURL_SSLVERSION_TLSv1_0),
+ NV(CURL_SSLVERSION_TLSv1_1),
+ NV(CURL_SSLVERSION_TLSv1_2),
NVEND,
};
--
1.7.1
From 5c27a05f194b204831e540509768f93777191b01 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 15 Oct 2013 20:31:04 +0200
Subject: [PATCH 2/9] curl: document the new --tlsv1.[012] options
[upstream commit 076726f1412205622414abd908723c4b33ca12cb]
---
docs/curl.1 | 20 ++++++++++++++++----
1 files changed, 16 insertions(+), 4 deletions(-)
diff --git a/docs/curl.1 b/docs/curl.1
index 30ef4cc..fe18459 100644
--- a/docs/curl.1
+++ b/docs/curl.1
@@ -1498,14 +1498,26 @@ Set TLS authentication type. Currently, the only supported option is "SRP",
for TLS-SRP (RFC 5054). If \fI--tlsuser\fP and \fI--tlspassword\fP are
specified but \fI--tlsauthtype\fP is not, then this option defaults to "SRP".
(Added in 7.21.4)
-.IP "--tlsuser <user>"
-Set username for use with the TLS authentication method specified with
-\fI--tlsauthtype\fP. Requires that \fI--tlspassword\fP also be set. (Added in
-7.21.4)
.IP "--tlspassword <password>"
Set password for use with the TLS authentication method specified with
\fI--tlsauthtype\fP. Requires that \fI--tlsuser\fP also be set. (Added in
7.21.4)
+.IP "--tlsuser <user>"
+Set username for use with the TLS authentication method specified with
+\fI--tlsauthtype\fP. Requires that \fI--tlspassword\fP also be set. (Added in
+7.21.4)
+.IP "--tlsv1.0"
+(SSL)
+Forces curl to use TLS version 1.0 when negotiating with a remote TLS server.
+(Added in 7.34.0)
+.IP "--tlsv1.1"
+(SSL)
+Forces curl to use TLS version 1.1 when negotiating with a remote TLS server.
+(Added in 7.34.0)
+.IP "--tlsv1.2"
+(SSL)
+Forces curl to use TLS version 1.2 when negotiating with a remote TLS server.
+(Added in 7.34.0)
.IP "--tr-encoding"
(HTTP) Request a compressed Transfer-Encoding response using one of the
algorithms curl supports, and uncompress the data while receiving it.
--
1.7.1
From 2ee1df2a787f2e692a7ebe6aae00eaa1e1cca77b Mon Sep 17 00:00:00 2001
From: Steve Holme <steve_holme@hotmail.com>
Date: Wed, 16 Oct 2013 20:06:23 +0100
Subject: [PATCH 3/9] SSL: Corrected version number for new symbols from commit ad34a2d5c87c7f
[upstream commit 2c84ffe1549ea7d5029ba7863f53013562e6758d]
---
docs/libcurl/symbols-in-versions | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
index 35b0878..ac679d9 100644
--- a/docs/libcurl/symbols-in-versions
+++ b/docs/libcurl/symbols-in-versions
@@ -695,9 +695,9 @@ CURL_SSLVERSION_DEFAULT 7.9.2
CURL_SSLVERSION_SSLv2 7.9.2
CURL_SSLVERSION_SSLv3 7.9.2
CURL_SSLVERSION_TLSv1 7.9.2
-CURL_SSLVERSION_TLSv1_0 7.33.0
-CURL_SSLVERSION_TLSv1_1 7.33.0
-CURL_SSLVERSION_TLSv1_2 7.33.0
+CURL_SSLVERSION_TLSv1_0 7.34.0
+CURL_SSLVERSION_TLSv1_1 7.34.0
+CURL_SSLVERSION_TLSv1_2 7.34.0
CURL_TIMECOND_IFMODSINCE 7.9.7
CURL_TIMECOND_IFUNMODSINCE 7.9.7
CURL_TIMECOND_LASTMOD 7.9.7
--
1.7.1
From fc6fd8049270e78db67af9bb47fb6fc506fd851a Mon Sep 17 00:00:00 2001
From: Steve Holme <steve_holme@hotmail.com>
Date: Wed, 16 Oct 2013 20:18:15 +0100
Subject: [PATCH 4/9] DOCS: Added libcurl version number to CURLOPT_SSLVERSION
[upstream commit 75b9b26465d5f01b52564293c2d553649f801f70]
---
docs/libcurl/curl_easy_setopt.3 | 8 +++++---
1 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3
index 77fc550..b9d834b 100644
--- a/docs/libcurl/curl_easy_setopt.3
+++ b/docs/libcurl/curl_easy_setopt.3
@@ -2410,6 +2410,8 @@ Even though this option doesn't need any parameter, in some configurations
arguments. Therefore, it's recommended to pass 1 as parameter to this option.
.IP CURLOPT_SSLVERSION
Pass a long as parameter to control what version of SSL/TLS to attempt to use.
+(Added in 7.9.2)
+
The available options are:
.RS
.IP CURL_SSLVERSION_DEFAULT
@@ -2423,11 +2425,11 @@ Force SSLv2
.IP CURL_SSLVERSION_SSLv3
Force SSLv3
.IP CURL_SSLVERSION_TLSv1_0
-Force TLSv1.0
+Force TLSv1.0 (Added in 7.34.0)
.IP CURL_SSLVERSION_TLSv1_1
-Force TLSv1.1
+Force TLSv1.1 (Added in 7.34.0)
.IP CURL_SSLVERSION_TLSv1_2
-Force TLSv1.2
+Force TLSv1.2 (Added in 7.34.0)
.RE
.IP CURLOPT_SSL_VERIFYPEER
Pass a long as parameter. By default, curl assumes a value of 1.
--
1.7.1
From 97d4a2d8c479bb97631ba3f115840d97f51501a6 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Mon, 25 Nov 2013 16:03:52 +0100
Subject: [PATCH 5/9] nss: use a better API for controlling SSL version
This change introduces a dependency on NSS 3.14+.
[upstream commit 30e7e7552ba4397896ecac82ea04f38d52c4cc8f]
---
configure | 20 ++++++++++----------
configure.ac | 4 ++--
docs/INTERNALS | 2 +-
lib/nss.c | 40 +++++++++++++++++++---------------------
4 files changed, 32 insertions(+), 34 deletions(-)
diff --git a/configure b/configure
index f00d6fb..91f305f 100755
--- a/configure
+++ b/configure
@@ -23598,9 +23598,9 @@ $as_echo "found" >&6; }
CPPFLAGS="$CPPFLAGS $addcflags"
fi
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PK11_CreateGenericObject in -lnss3" >&5
-$as_echo_n "checking for PK11_CreateGenericObject in -lnss3... " >&6; }
-if ${ac_cv_lib_nss3_PK11_CreateGenericObject+:} false; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_VersionRangeSet in -lnss3" >&5
+$as_echo_n "checking for SSL_VersionRangeSet in -lnss3... " >&6; }
+if ${ac_cv_lib_nss3_SSL_VersionRangeSet+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
@@ -23612,26 +23612,26 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
#ifdef __cplusplus
extern "C"
#endif
-char PK11_CreateGenericObject ();
+char SSL_VersionRangeSet ();
int main (void)
{
-return PK11_CreateGenericObject ();
+return SSL_VersionRangeSet ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_lib_nss3_PK11_CreateGenericObject=yes
+ ac_cv_lib_nss3_SSL_VersionRangeSet=yes
else
- ac_cv_lib_nss3_PK11_CreateGenericObject=no
+ ac_cv_lib_nss3_SSL_VersionRangeSet=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nss3_PK11_CreateGenericObject" >&5
-$as_echo "$ac_cv_lib_nss3_PK11_CreateGenericObject" >&6; }
-if test "x$ac_cv_lib_nss3_PK11_CreateGenericObject" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nss3_SSL_VersionRangeSet" >&5
+$as_echo "$ac_cv_lib_nss3_SSL_VersionRangeSet" >&6; }
+if test "x$ac_cv_lib_nss3_SSL_VersionRangeSet" = xyes; then :
$as_echo "#define USE_NSS 1" >>confdefs.h
diff --git a/configure.ac b/configure.ac
index f861124..c857554 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2067,8 +2067,8 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then
CPPFLAGS="$CPPFLAGS $addcflags"
fi
- dnl The function PK11_CreateGenericObject is needed to load libnsspem.so
- AC_CHECK_LIB(nss3, PK11_CreateGenericObject,
+ dnl The function SSL_VersionRangeSet() is needed to enable TLS > 1.0
+ AC_CHECK_LIB(nss3, SSL_VersionRangeSet,
[
AC_DEFINE(USE_NSS, 1, [if NSS is enabled])
AC_SUBST(USE_NSS, [1])
diff --git a/docs/INTERNALS b/docs/INTERNALS
index 66e11a4..c8e433c 100644
--- a/docs/INTERNALS
+++ b/docs/INTERNALS
@@ -43,7 +43,7 @@ Portability
openldap 2.0
MIT krb5 lib 1.2.4
qsossl V5R3M0
- NSS 3.12.x
+ NSS 3.14.x
axTLS 1.2.7
Heimdal ?
diff --git a/lib/nss.c b/lib/nss.c
index 34dfbb1..fe243fa 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -1176,9 +1176,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
{
PRErrorCode err = 0;
PRFileDesc *model = NULL;
- PRBool ssl2 = PR_FALSE;
- PRBool ssl3 = PR_FALSE;
- PRBool tlsv1 = PR_FALSE;
+ SSLVersionRange sslver;
PRBool ssl_no_cache;
PRBool ssl_cbc_random_iv;
struct SessionHandle *data = conn->data;
@@ -1252,20 +1250,25 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
switch (data->set.ssl.version) {
default:
case CURL_SSLVERSION_DEFAULT:
- ssl3 = PR_TRUE;
- if(data->state.ssl_connect_retry)
+ sslver.min = SSL_LIBRARY_VERSION_3_0;
+ if(data->state.ssl_connect_retry) {
infof(data, "TLS disabled due to previous handshake failure\n");
+ sslver.max = SSL_LIBRARY_VERSION_3_0;
+ }
else
- tlsv1 = PR_TRUE;
+ sslver.max = SSL_LIBRARY_VERSION_TLS_1_0;
break;
case CURL_SSLVERSION_TLSv1:
- tlsv1 = PR_TRUE;
+ sslver.min = SSL_LIBRARY_VERSION_TLS_1_0;
+ sslver.max = SSL_LIBRARY_VERSION_TLS_1_0;
break;
case CURL_SSLVERSION_SSLv2:
- ssl2 = PR_TRUE;
+ sslver.min = SSL_LIBRARY_VERSION_2;
+ sslver.max = SSL_LIBRARY_VERSION_2;
break;
case CURL_SSLVERSION_SSLv3:
- ssl3 = PR_TRUE;
+ sslver.min = SSL_LIBRARY_VERSION_3_0;
+ sslver.max = SSL_LIBRARY_VERSION_3_0;
break;
case CURL_SSLVERSION_TLSv1_0:
case CURL_SSLVERSION_TLSv1_1:
@@ -1275,14 +1278,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
goto error;
}
- if(SSL_OptionSet(model, SSL_ENABLE_SSL2, ssl2) != SECSuccess)
- goto error;
- if(SSL_OptionSet(model, SSL_ENABLE_SSL3, ssl3) != SECSuccess)
- goto error;
- if(SSL_OptionSet(model, SSL_ENABLE_TLS, tlsv1) != SECSuccess)
- goto error;
-
- if(SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, ssl2) != SECSuccess)
+ if(SSL_VersionRangeSet(model, &sslver) != SECSuccess)
goto error;
ssl_cbc_random_iv = !data->set.ssl_enable_beast;
@@ -1468,11 +1464,13 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
if(model)
PR_Close(model);
- /* cleanup on connection failure */
- Curl_llist_destroy(connssl->obj_list, NULL);
- connssl->obj_list = NULL;
+ /* cleanup on connection failure */
+ Curl_llist_destroy(connssl->obj_list, NULL);
+ connssl->obj_list = NULL;
- if(ssl3 && tlsv1 && isTLSIntoleranceError(err)) {
+ if((sslver.min == SSL_LIBRARY_VERSION_3_0)
+ && (sslver.max == SSL_LIBRARY_VERSION_TLS_1_0)
+ && isTLSIntoleranceError(err)) {
/* schedule reconnect through Curl_retry_request() */
data->state.ssl_connect_retry = TRUE;
infof(data, "Error in TLS handshake, trying SSLv3...\n");
--
1.7.1
From ea24e0836e7490baf05e390444a3e1825d2e2f4b Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Mon, 25 Nov 2013 16:14:55 +0100
Subject: [PATCH 6/9] nss: put SSL version selection into separate fnc
[upstream commit 4fb8241add5b68e95fbf44d3c2bf470201a9915d]
---
lib/nss.c | 72 +++++++++++++++++++++++++++++++++++-------------------------
1 files changed, 42 insertions(+), 30 deletions(-)
diff --git a/lib/nss.c b/lib/nss.c
index fe243fa..a295494 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -1172,6 +1172,46 @@ static CURLcode nss_load_ca_certificates(struct connectdata *conn,
return CURLE_OK;
}
+static CURLcode nss_init_sslver(SSLVersionRange *sslver,
+ struct SessionHandle *data)
+{
+ switch (data->set.ssl.version) {
+ default:
+ case CURL_SSLVERSION_DEFAULT:
+ sslver->min = SSL_LIBRARY_VERSION_3_0;
+ if(data->state.ssl_connect_retry) {
+ infof(data, "TLS disabled due to previous handshake failure\n");
+ sslver->max = SSL_LIBRARY_VERSION_3_0;
+ }
+ else
+ sslver->max = SSL_LIBRARY_VERSION_TLS_1_0;
+ return CURLE_OK;
+
+ case CURL_SSLVERSION_TLSv1:
+ sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
+ sslver->max = SSL_LIBRARY_VERSION_TLS_1_0;
+ return CURLE_OK;
+
+ case CURL_SSLVERSION_SSLv2:
+ sslver->min = SSL_LIBRARY_VERSION_2;
+ sslver->max = SSL_LIBRARY_VERSION_2;
+ return CURLE_OK;
+
+ case CURL_SSLVERSION_SSLv3:
+ sslver->min = SSL_LIBRARY_VERSION_3_0;
+ sslver->max = SSL_LIBRARY_VERSION_3_0;
+ return CURLE_OK;
+
+ case CURL_SSLVERSION_TLSv1_0:
+ case CURL_SSLVERSION_TLSv1_1:
+ case CURL_SSLVERSION_TLSv1_2:
+ break;
+ }
+
+ failf(data, "TLS minor version cannot be set");
+ return CURLE_SSL_CONNECT_ERROR;
+}
+
CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
{
PRErrorCode err = 0;
@@ -1247,37 +1287,9 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
if(SSL_OptionSet(model, SSL_NO_CACHE, ssl_no_cache) != SECSuccess)
goto error;
- switch (data->set.ssl.version) {
- default:
- case CURL_SSLVERSION_DEFAULT:
- sslver.min = SSL_LIBRARY_VERSION_3_0;
- if(data->state.ssl_connect_retry) {
- infof(data, "TLS disabled due to previous handshake failure\n");
- sslver.max = SSL_LIBRARY_VERSION_3_0;
- }
- else
- sslver.max = SSL_LIBRARY_VERSION_TLS_1_0;
- break;
- case CURL_SSLVERSION_TLSv1:
- sslver.min = SSL_LIBRARY_VERSION_TLS_1_0;
- sslver.max = SSL_LIBRARY_VERSION_TLS_1_0;
- break;
- case CURL_SSLVERSION_SSLv2:
- sslver.min = SSL_LIBRARY_VERSION_2;
- sslver.max = SSL_LIBRARY_VERSION_2;
- break;
- case CURL_SSLVERSION_SSLv3:
- sslver.min = SSL_LIBRARY_VERSION_3_0;
- sslver.max = SSL_LIBRARY_VERSION_3_0;
- break;
- case CURL_SSLVERSION_TLSv1_0:
- case CURL_SSLVERSION_TLSv1_1:
- case CURL_SSLVERSION_TLSv1_2:
- failf(data, "TLS minor version cannot be set\n");
- curlerr = CURLE_SSL_CONNECT_ERROR;
+ /* enable/disable the requested SSL version(s) */
+ if(nss_init_sslver(&sslver, data) != CURLE_OK)
goto error;
- }
-
if(SSL_VersionRangeSet(model, &sslver) != SECSuccess)
goto error;
--
1.7.1
From 6b292d3310bc9bd0e16909e412b44f1846838ba6 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Mon, 25 Nov 2013 16:25:15 +0100
Subject: [PATCH 7/9] nss: allow to use TLS > 1.0 if built against recent NSS
Bug: http://curl.haxx.se/mail/lib-2013-11/0162.html
[upstream commit 7fc9325a52a6dad1f8b859a3269472ffc125edd0]
---
lib/nss.c | 22 ++++++++++++++++++++++
1 files changed, 22 insertions(+), 0 deletions(-)
diff --git a/lib/nss.c b/lib/nss.c
index a295494..43c2141 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -1189,7 +1189,13 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
case CURL_SSLVERSION_TLSv1:
sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
+#ifdef SSL_LIBRARY_VERSION_TLS_1_2
+ sslver->max = SSL_LIBRARY_VERSION_TLS_1_2;
+#elif defined SSL_LIBRARY_VERSION_TLS_1_1
+ sslver->max = SSL_LIBRARY_VERSION_TLS_1_1;
+#else
sslver->max = SSL_LIBRARY_VERSION_TLS_1_0;
+#endif
return CURLE_OK;
case CURL_SSLVERSION_SSLv2:
@@ -1203,8 +1209,24 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
return CURLE_OK;
case CURL_SSLVERSION_TLSv1_0:
+ sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
+ sslver->max = SSL_LIBRARY_VERSION_TLS_1_0;
+ return CURLE_OK;
+
case CURL_SSLVERSION_TLSv1_1:
+#ifdef SSL_LIBRARY_VERSION_TLS_1_1
+ sslver->min = SSL_LIBRARY_VERSION_TLS_1_1;
+ sslver->max = SSL_LIBRARY_VERSION_TLS_1_1;
+ return CURLE_OK;
+#endif
+ break;
+
case CURL_SSLVERSION_TLSv1_2:
+#ifdef SSL_LIBRARY_VERSION_TLS_1_2
+ sslver->min = SSL_LIBRARY_VERSION_TLS_1_2;
+ sslver->max = SSL_LIBRARY_VERSION_TLS_1_2;
+ return CURLE_OK;
+#endif
break;
}
--
1.7.1
From 6149dcd0a753647cc152287b6562df91073923b3 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Mon, 2 Dec 2013 14:25:07 +0100
Subject: [PATCH 8/9] nss: unconditionally require NSS_InitContext()
... since we depend on NSS 3.14+ because of SSL_VersionRangeSet() anyway
[upstream commit 865666afca926faa1c721020fc54364540caf734]
---
configure | 12 ------------
configure.ac | 8 --------
lib/nss.c | 26 --------------------------
3 files changed, 0 insertions(+), 46 deletions(-)
diff --git a/configure b/configure
index 91f305f..10d4836 100755
--- a/configure
+++ b/configure
@@ -23654,18 +23654,6 @@ fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: detected NSS version $version" >&5
$as_echo "$as_me: detected NSS version $version" >&6;}
- ac_fn_c_check_func "$LINENO" "NSS_InitContext" "ac_cv_func_NSS_InitContext"
-if test "x$ac_cv_func_NSS_InitContext" = xyes; then :
-
-
-$as_echo "#define HAVE_NSS_INITCONTEXT 1" >>confdefs.h
-
- HAVE_NSS_INITCONTEXT=1
-
-
-fi
-
-
if test "x$cross_compiling" != "xyes"; then
LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$nssprefix/lib$libsuff"
export LD_LIBRARY_PATH
diff --git a/configure.ac b/configure.ac
index c857554..908fd6c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2084,14 +2084,6 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then
if test "x$USE_NSS" = "xyes"; then
AC_MSG_NOTICE([detected NSS version $version])
- dnl NSS_InitContext() was introduced in NSS 3.12.5 and helps to prevent
- dnl collisions on NSS initialization/shutdown with other libraries
- AC_CHECK_FUNC(NSS_InitContext,
- [
- AC_DEFINE(HAVE_NSS_INITCONTEXT, 1, [if you have the NSS_InitContext function])
- AC_SUBST(HAVE_NSS_INITCONTEXT, [1])
- ])
-
dnl when shared libs were found in a path that the run-time
dnl linker doesn't search through, we need to add it to
dnl LD_LIBRARY_PATH to prevent further configure tests to fail
diff --git a/lib/nss.c b/lib/nss.c
index 43c2141..d6b95b7 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -76,9 +76,7 @@ PRFileDesc *PR_ImportTCPSocket(PRInt32 osfd);
PRLock * nss_initlock = NULL;
PRLock * nss_crllock = NULL;
-#ifdef HAVE_NSS_INITCONTEXT
NSSInitContext * nss_context = NULL;
-#endif
volatile int initialized = 0;
@@ -854,7 +852,6 @@ isTLSIntoleranceError(PRInt32 err)
static CURLcode nss_init_core(struct SessionHandle *data, const char *cert_dir)
{
-#ifdef HAVE_NSS_INITCONTEXT
NSSInitParameters initparams;
if(nss_context != NULL)
@@ -862,12 +859,6 @@ static CURLcode nss_init_core(struct SessionHandle *data, const char *cert_dir)
memset((void *) &initparams, '\0', sizeof(initparams));
initparams.length = sizeof(initparams);
-#else /* HAVE_NSS_INITCONTEXT */
- SECStatus rv;
-
- if(NSS_IsInitialized())
- return CURLE_OK;
-#endif
if(cert_dir) {
const bool use_sql = NSS_VersionCheck("3.12.0");
@@ -876,35 +867,22 @@ static CURLcode nss_init_core(struct SessionHandle *data, const char *cert_dir)
return CURLE_OUT_OF_MEMORY;
infof(data, "Initializing NSS with certpath: %s\n", certpath);
-#ifdef HAVE_NSS_INITCONTEXT
nss_context = NSS_InitContext(certpath, "", "", "", &initparams,
NSS_INIT_READONLY | NSS_INIT_PK11RELOAD);
free(certpath);
if(nss_context != NULL)
return CURLE_OK;
-#else /* HAVE_NSS_INITCONTEXT */
- rv = NSS_Initialize(certpath, "", "", "", NSS_INIT_READONLY);
- free(certpath);
-
- if(rv == SECSuccess)
- return CURLE_OK;
-#endif
infof(data, "Unable to initialize NSS database\n");
}
infof(data, "Initializing NSS with certpath: none\n");
-#ifdef HAVE_NSS_INITCONTEXT
nss_context = NSS_InitContext("", "", "", "", &initparams, NSS_INIT_READONLY
| NSS_INIT_NOCERTDB | NSS_INIT_NOMODDB | NSS_INIT_FORCEOPEN
| NSS_INIT_NOROOTINIT | NSS_INIT_OPTIMIZESPACE | NSS_INIT_PK11RELOAD);
if(nss_context != NULL)
return CURLE_OK;
-#else /* HAVE_NSS_INITCONTEXT */
- if(NSS_NoDB_Init(NULL) == SECSuccess)
- return CURLE_OK;
-#endif
infof(data, "Unable to initialize NSS\n");
return CURLE_SSL_CACERT_BADFILE;
@@ -1000,12 +978,8 @@ void Curl_nss_cleanup(void)
SECMOD_DestroyModule(mod);
mod = NULL;
}
-#ifdef HAVE_NSS_INITCONTEXT
NSS_ShutdownContext(nss_context);
nss_context = NULL;
-#else /* HAVE_NSS_INITCONTEXT */
- NSS_Shutdown();
-#endif
}
PR_Unlock(nss_initlock);
--
1.7.1
From e0fcc1bbc4e9b69803a84613cd7a4eed662ca13f Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Mon, 2 Dec 2013 16:09:12 +0100
Subject: [PATCH 9/9] nss: make sure that 'sslver' is always initialized
[upstream commit e221b55f67a2e12717e911f25d1bb6c85fcebfab]
---
lib/nss.c | 9 +++++----
1 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/lib/nss.c b/lib/nss.c
index d6b95b7..7da6a3b 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -1152,13 +1152,10 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
switch (data->set.ssl.version) {
default:
case CURL_SSLVERSION_DEFAULT:
- sslver->min = SSL_LIBRARY_VERSION_3_0;
if(data->state.ssl_connect_retry) {
infof(data, "TLS disabled due to previous handshake failure\n");
sslver->max = SSL_LIBRARY_VERSION_3_0;
}
- else
- sslver->max = SSL_LIBRARY_VERSION_TLS_1_0;
return CURLE_OK;
case CURL_SSLVERSION_TLSv1:
@@ -1212,7 +1209,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
{
PRErrorCode err = 0;
PRFileDesc *model = NULL;
- SSLVersionRange sslver;
PRBool ssl_no_cache;
PRBool ssl_cbc_random_iv;
struct SessionHandle *data = conn->data;
@@ -1224,6 +1220,11 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
long time_left;
PRUint32 timeout;
+ SSLVersionRange sslver = {
+ SSL_LIBRARY_VERSION_3_0, /* min */
+ SSL_LIBRARY_VERSION_TLS_1_0 /* max */
+ };
+
if(connssl->state == ssl_connection_complete)
return CURLE_OK;
--
1.7.1
From a3592df2afa075a2c905638c2d8d3513810eff09 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Mon, 2 Dec 2013 17:00:35 +0100
Subject: [PATCH 10/10] tool_metalink: do not use HAVE_NSS_INITCONTEXT
... no longer provided by the configure script
[upstream commit ff9b66a8d4abb2fd92b12ae8ae3e4e7f39856af7]
---
src/tool_metalink.c | 8 ++------
1 files changed, 2 insertions(+), 6 deletions(-)
diff --git a/src/tool_metalink.c b/src/tool_metalink.c
index be5fc26..050f59d 100644
--- a/src/tool_metalink.c
+++ b/src/tool_metalink.c
@@ -54,9 +54,7 @@
# define MD5_CTX void *
# define SHA_CTX void *
# define SHA256_CTX void *
-# ifdef HAVE_NSS_INITCONTEXT
- static NSSInitContext *nss_context;
-# endif
+ static NSSInitContext *nss_context;
#elif (defined(__MAC_OS_X_VERSION_MAX_ALLOWED) && \
(__MAC_OS_X_VERSION_MAX_ALLOWED >= 1040)) || \
(defined(__IPHONE_OS_VERSION_MAX_ALLOWED) && \
@@ -240,7 +238,6 @@ static int nss_hash_init(void **pctx, SECOidTag hash_alg)
PK11Context *ctx;
/* we have to initialize NSS if not initialized alraedy */
-#ifdef HAVE_NSS_INITCONTEXT
if(!NSS_IsInitialized() && !nss_context) {
static NSSInitParameters params;
params.length = sizeof params;
@@ -248,7 +245,6 @@ static int nss_hash_init(void **pctx, SECOidTag hash_alg)
| NSS_INIT_NOCERTDB | NSS_INIT_NOMODDB | NSS_INIT_FORCEOPEN
| NSS_INIT_NOROOTINIT | NSS_INIT_OPTIMIZESPACE | NSS_INIT_PK11RELOAD);
}
-#endif
ctx = PK11_CreateDigestContext(hash_alg);
if(!ctx)
@@ -894,7 +890,7 @@ void clean_metalink(struct Configurable *config)
void metalink_cleanup(void)
{
-#if defined(USE_NSS) && defined(HAVE_NSS_INITCONTEXT)
+#ifdef USE_NSS
if(nss_context) {
NSS_ShutdownContext(nss_context);
nss_context = NULL;
--
1.7.1
Reference in New Issue View Git Blame Copy Permalink