On Thursday 23 April 2015 14:11:25 Paul Howarth wrote:
> On 22/04/15 17:42, Kamil Dudka wrote:
> > On Wednesday 22 April 2015 13:10:22 Paul Howarth wrote:
> >> On 22/04/15 13:03, Kamil Dudka wrote:
> >>> If SSL_SetCanFalseStartCallback() is the newest introduced symbol
> >>> required
> >>> for the TLS False Start feature to work, we can add autoconf check for
> >>> the
> >>> presence of that symbol in NSS libs, and #ifdef the code based on the
> >>> result of that check. That would cover also the case where a downstream
> >>> maintainer cherry-picks the feature to an older version of NSS.
> >>
> >> Works for me. I'm able to build with the attached patch, which should be
> >> adaptable to being an autoconf-based one instead of a version-number
> >> based one.
> >>
> >> Paul.
> >
> > Thanks for the patch! Do we still need the #ifdef for
> > SSL_ENABLE_FALSE_START if the code is already #idef-ed based on the NSS
> > version?
>
> Only the ones within the NSS-version #ifdef (not all are), and only if
> NSS upstream does not support building without TLS 1.2 support (I don't
> know if this is the case or not).
>
> Paul.
Even if NSS had an option to disable TLS 1.2, I believe it would not hide
the define of SSL_LIBRARY_VERSION_TLS_1_2. If TLS 1.2 was not implemented
by NSS, it would effectively disable the False Start feature but it should
not break the compilation.
Paul, could you please try the attached patch whether it works for you?
Kamil
>From 26f731598534a6d0ff3789b99b04609be8425a55 Mon Sep 17 00:00:00 2001
From: Paul Howarth <[email protected]>
Date: Thu, 23 Apr 2015 15:56:03 +0200
Subject: [PATCH] nss: fix compilation failure with old versions of NSS
Bug: http://curl.haxx.se/mail/lib-2015-04/0095.html
---
lib/vtls/nss.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index daf12a9..5434ce3 100644
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -725,6 +725,7 @@ static void HandshakeCallback(PRFileDesc *sock, void *arg)
}
}
+#if NSSVERNUM >= 0x030f04 /* 3.15.4 */
static SECStatus CanFalseStartCallback(PRFileDesc *sock, void *client_data,
PRBool *canFalseStart)
{
@@ -782,6 +783,7 @@ static SECStatus CanFalseStartCallback(PRFileDesc *sock, void *client_data,
end:
return SECSuccess;
}
+#endif
static void display_cert_info(struct SessionHandle *data,
CERTCertificate *cert)
@@ -1754,7 +1756,7 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
goto error;
#endif
-#ifdef SSL_ENABLE_FALSE_START
+#if NSSVERNUM >= 0x030f04 /* 3.15.4 */
if(data->set.ssl.falsestart) {
if(SSL_OptionSet(connssl->handle, SSL_ENABLE_FALSE_START, PR_TRUE)
!= SECSuccess)
@@ -2049,7 +2051,7 @@ bool Curl_nss_cert_status_request(void)
}
bool Curl_nss_false_start(void) {
-#ifdef SSL_ENABLE_FALSE_START
+#if NSSVERNUM >= 0x030f04 /* 3.15.4 */
return TRUE;
#else
return FALSE;
--
2.3.5
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
