Kamil Dudka wrote:
On Thu October 8 2009 15:20:49 Rob Crittenden wrote:I think we'll have to ask the NSS developers. I've got an e-mail to some guys internally.Thanks! In the meantime I've conducted some observation: http://permalink.gmane.org/gmane.comp.web.curl.library/25367Just look at nsSSLIOLayerSetOptions() from security/manager/ssl/src/nsNSSIOLayer.cpp (nowadays part of xulrunner):if (nsSSLIOLayerHelpers::isKnownAsIntolerantSite(key)) { if (SECSuccess != SSL_OptionSet(fd, SSL_ENABLE_TLS, PR_FALSE)) return NS_ERROR_FAILURE; infoObject->SetAllowTLSIntoleranceTimeout(PR_FALSE); // We assume that protocols that use the STARTTLS mechanism should support // modern hellos. For other protocols, if we suspect a site // does not support TLS, let's also use V2 hellos. // One advantage of this approach, if a site only supports the older // hellos, it is more likely that we will get a reasonable error code // on our single retry attempt. if (!forSTARTTLS && SECSuccess != SSL_OptionSet(fd, SSL_V2_COMPATIBLE_HELLO, PR_TRUE)) return NS_ERROR_FAILURE; } This method looks also relevant enough: // Call this function to report a site that is possibly TLS intolerant. // This function will return true, if the given socket is currently using TLS. PRBool nsSSLIOLayerHelpers::rememberPossibleTLSProblemSite(...)I don't want to copy/paste whole the part of xulrunner into libcurl. Any idea how to make this working in an easy way?Kamil
An NSS developer suggested that if SSL2 is disabled then there is no point in setting the SSLv2 hello, so we could just enable that if SSL2 is enabled.
rob
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
