On 22/04/15 13:03, Kamil Dudka wrote:
On Wednesday 22 April 2015 12:38:44 Paul Howarth wrote:
On 20/03/15 19:29, Kamil Dudka wrote:
On Monday 09 March 2015 14:34:31 Alessandro Ghedini wrote:
Hello,
I updated the checks as Kamil suggested. Now False Start is only used
with
TLS 1.2, ECDHE and AES GCM like in newer firefox versions. This kind of
reduces the False Start usability, since NSS doesn't enable ECC ciphers
by
default and they
need to manually selected like so:
$ src/curl -v https://ghedini.me --ciphers ecdhe_rsa_aes_128_gcm_sha_256
--false-start
But this may change in the future I suppose. Also, AFAICT NSS doesn't
support AES 256 GCM, so there's that too, but I guess that in most
servers
if AES 256 is enabled, AES 128 will be as well.
See attached patches.
Cheers
I have pushed them:
https://github.com/bagder/curl/compare/a332922a52...1f651d1d4d
Thanks for the contribution!
I have come across some issues building with old versions of NSS in the
new release of curl (7.42.0). Whilst NSS has had the symbol
SSL_ENABLE_FALSE_START since version 3.12.8, some of the additional
symbols used in the false start support were introduced considerably
more recently:
SSL_SetCanFalseStartCallback - introduced in nss 3.15.4
SSL_LIBRARY_VERSION_TLS_1_2 - introduced in nss 3.15.1
This is causing compile errors for my Fedora 16 (nss 3.14.1), 17 (nss
3.143) and 18 (nss 3.15.3) builds.
I think the fix is probably to drop the false start support with nss <
3.15.4. Any other opinions/options?
Paul.
If SSL_SetCanFalseStartCallback() is the newest introduced symbol required
for the TLS False Start feature to work, we can add autoconf check for the
presence of that symbol in NSS libs, and #ifdef the code based on the result
of that check. That would cover also the case where a downstream maintainer
cherry-picks the feature to an older version of NSS.
Works for me. I'm able to build with the attached patch, which should be
adaptable to being an autoconf-based one instead of a version-number
based one.
Paul.
The symbols required for TLS False Start support in libcurl were
introduced in different versions of nss:
SSL_ENABLE_FALSE_START - 3.12.8
SSL_LIBRARY_VERSION_TLS_1_2 - 3.15.1
SSL_SetCanFalseStartCallback - 3.15.4
In order to support TLS False Start safely, require at least nss 3.15.4
--- lib/vtls/nss.c
+++ lib/vtls/nss.c
@@ -724,6 +724,7 @@ static void HandshakeCallback(PRFileDesc
}
}
+#if NSSVERNUM >= 0x030f04 /* 3.15.4 */
static SECStatus CanFalseStartCallback(PRFileDesc *sock, void *client_data,
PRBool *canFalseStart)
{
@@ -781,6 +782,7 @@ static SECStatus CanFalseStartCallback(P
end:
return SECSuccess;
}
+#endif
static void display_cert_info(struct SessionHandle *data,
CERTCertificate *cert)
@@ -1706,6 +1708,7 @@ static CURLcode nss_setup_connect(struct
goto error;
#endif
+#if NSSVERNUM >= 0x030f04 /* 3.15.4 */
#ifdef SSL_ENABLE_FALSE_START
if(data->set.ssl.falsestart) {
if(SSL_OptionSet(connssl->handle, SSL_ENABLE_FALSE_START, PR_TRUE)
@@ -1717,6 +1720,7 @@ static CURLcode nss_setup_connect(struct
goto error;
}
#endif
+#endif
#if defined(SSL_ENABLE_NPN) || defined(SSL_ENABLE_ALPN)
if(data->set.ssl_enable_npn || data->set.ssl_enable_alpn) {
@@ -1996,11 +2000,15 @@ bool Curl_nss_cert_status_request(void)
}
bool Curl_nss_false_start(void) {
+#if NSSVERNUM >= 0x030f04 /* 3.15.4 */
#ifdef SSL_ENABLE_FALSE_START
return TRUE;
#else
return FALSE;
#endif
+#else
+ return FALSE;
+#endif
}
#endif /* USE_NSS */
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
