On Mar 28, 2013, at 6:05 AM, Jacek Caban wrote:
> --- a/dlls/secur32/schannel_macosx.c
> +++ b/dlls/secur32/schannel_macosx.c
> @@ -630,6 +630,11 @@ static OSStatus schan_push_adapter(SSLConnectionRef
> transport, const void *buff,
> return ret;
> }
>
> +DWORD schan_imp_enabled_protocols(void)
> +{
> + /* NOTE: No support for TLS 1.1 and TLS 1.2 */
> + return SP_PROT_SSL2_CLIENT | SP_PROT_SSL3_CLIENT | SP_PROT_TLS1_0_CLIENT;
> +}
Mac OS X 10.8 introduced support for TLS 1.1 and 1.2. You can test at build
time with:
#if MAC_OS_X_VERSION_MAX_ALLOWED >= 1080
...
#else
...
#endif
If we want to support building on 10.8 for deployment to earlier versions, we'd
do something like:
#if MAC_OS_X_VERSION_MAX_ALLOWED >= 1080
SSLProtocol maxProtocol;
if (SSLGetProtocolVersionMax != NULL &&
SSLGetProtocolVersionMax(context, &maxProtocol) == noErr)
{
... compare maxProtocol against kTLSProtocol11 and
kTLSProtocol12 ...
}
...
#else
...
#endif
The idea is that SSLGetProtocolVersionMax() would be weak linked, so we'd check
if it was actually available before calling it. Of course, the other
complication is that that function requires a context parameter, but we can
create one just for the query if we're interested in the framework capabilities
(as opposed to what's been configured for a particular context).
-Ken
