On Thu October 8 2009 15:20:49 Rob Crittenden wrote: > I think we'll have to ask the NSS developers. I've got an e-mail to some > guys internally.
Thanks! In the meantime I've conducted some observation: http://permalink.gmane.org/gmane.comp.web.curl.library/25367 Just look at nsSSLIOLayerSetOptions() from security/manager/ssl/src/nsNSSIOLayer.cpp (nowadays part of xulrunner): if (nsSSLIOLayerHelpers::isKnownAsIntolerantSite(key)) { if (SECSuccess != SSL_OptionSet(fd, SSL_ENABLE_TLS, PR_FALSE)) return NS_ERROR_FAILURE; infoObject->SetAllowTLSIntoleranceTimeout(PR_FALSE); // We assume that protocols that use the STARTTLS mechanism should support // modern hellos. For other protocols, if we suspect a site // does not support TLS, let's also use V2 hellos. // One advantage of this approach, if a site only supports the older // hellos, it is more likely that we will get a reasonable error code // on our single retry attempt. if (!forSTARTTLS && SECSuccess != SSL_OptionSet(fd, SSL_V2_COMPATIBLE_HELLO, PR_TRUE)) return NS_ERROR_FAILURE; } This method looks also relevant enough: // Call this function to report a site that is possibly TLS intolerant. // This function will return true, if the given socket is currently using TLS. PRBool nsSSLIOLayerHelpers::rememberPossibleTLSProblemSite(...) I don't want to copy/paste whole the part of xulrunner into libcurl. Any idea how to make this working in an easy way? Kamil ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
