gnunet-svn
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[GNUnet-SVN] [gnurl] 118/220: nss: use TLSv1.3 as default if supported

From: gnunet
Subject: [GNUnet-SVN] [gnurl] 118/220: nss: use TLSv1.3 as default if supported
Date: Thu, 12 Sep 2019 17:27:58 +0200 
This is an automated email from the git hooks/post-receive script.

ng0 pushed a commit to branch master
in repository gnurl.

commit cc5fae5dacd240cd013995173705efdc68f26e34
Author: Peter Wu <address@hidden>
AuthorDate: Sat Aug 3 16:53:42 2019 +0100

    nss: use TLSv1.3 as default if supported
    
    SSL_VersionRangeGetDefault returns (TLSv1.0, TLSv1.2) as supported
    range in NSS 3.45. It looks like the intention is to raise the minimum
    version rather than lowering the maximum, so adjust accordingly. Note
    that the caller (nss_setup_connect) initializes the version range to
    (TLSv1.0, TLSv1.3), so there is no need to check for >= TLSv1.0 again.
    
    Closes #4187
    Reviewed-by: Daniel Stenberg
    Reviewed-by: Kamil Dudka
---
 lib/vtls/nss.c | 16 ++++++----------
 1 file changed, 6 insertions(+), 10 deletions(-)

diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index 482fd5e99..435f3e93a 100644
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -1734,20 +1734,16 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
   CURLcode result;
   const long min = SSL_CONN_CONFIG(version);
   const long max = SSL_CONN_CONFIG(version_max);
-
-  /* map CURL_SSLVERSION_DEFAULT to NSS default */
-  if(min == CURL_SSLVERSION_DEFAULT || max == CURL_SSLVERSION_MAX_DEFAULT) {
-    /* map CURL_SSLVERSION_DEFAULT to NSS default */
-    if(SSL_VersionRangeGetDefault(ssl_variant_stream, sslver) != SECSuccess)
-      return CURLE_SSL_CONNECT_ERROR;
-    /* ... but make sure we use at least TLSv1.0 according to libcurl API */
-    if(sslver->min < SSL_LIBRARY_VERSION_TLS_1_0)
-      sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
-  }
+  SSLVersionRange vrange;
 
   switch(min) {
   case CURL_SSLVERSION_TLSv1:
   case CURL_SSLVERSION_DEFAULT:
+    /* Bump our minimum TLS version if NSS has stricter requirements. */
+    if(SSL_VersionRangeGetDefault(ssl_variant_stream, &vrange) != SECSuccess)
+      return CURLE_SSL_CONNECT_ERROR;
+    if(sslver->min < vrange.min)
+      sslver->min = vrange.min;
     break;
   default:
     result = nss_sslver_from_curl(&sslver->min, min);

-- 
To stop receiving notification emails like this one, please contact
address@hidden.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]