|
|
9d7d3f |
From 7ab0810c977cec1135d9b5bd85b012ca9e6173cc Mon Sep 17 00:00:00 2001
|
|
|
9d7d3f |
From: Kamil Dudka <kdudka@redhat.com>
|
|
|
9d7d3f |
Date: Wed, 29 Oct 2014 14:14:23 +0100
|
|
|
9d7d3f |
Subject: [PATCH 1/2] nss: drop the code for libcurl-level downgrade to SSLv3
|
|
|
9d7d3f |
|
|
|
9d7d3f |
This code was already deactivated by commit
|
|
|
9d7d3f |
ec783dc142129d3860e542b443caaa78a6172d56.
|
|
|
9d7d3f |
|
|
|
9d7d3f |
Upstream-commit: 3f430c9c3a4e3748bc075b633a9324c5037c9fe7
|
|
|
9d7d3f |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
9d7d3f |
---
|
|
|
9d7d3f |
lib/nss.c | 52 ----------------------------------------------------
|
|
|
9d7d3f |
1 file changed, 52 deletions(-)
|
|
|
9d7d3f |
|
|
|
9d7d3f |
diff --git a/lib/nss.c b/lib/nss.c
|
|
|
9d7d3f |
index 36fa097..0691394 100644
|
|
|
9d7d3f |
--- a/lib/nss.c
|
|
|
9d7d3f |
+++ b/lib/nss.c
|
|
|
9d7d3f |
@@ -835,36 +835,6 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock,
|
|
|
9d7d3f |
return SECSuccess;
|
|
|
9d7d3f |
}
|
|
|
9d7d3f |
|
|
|
9d7d3f |
-/* This function is supposed to decide, which error codes should be used
|
|
|
9d7d3f |
- * to conclude server is TLS intolerant.
|
|
|
9d7d3f |
- *
|
|
|
9d7d3f |
- * taken from xulrunner - nsNSSIOLayer.cpp
|
|
|
9d7d3f |
- */
|
|
|
9d7d3f |
-static PRBool
|
|
|
9d7d3f |
-isTLSIntoleranceError(PRInt32 err)
|
|
|
9d7d3f |
-{
|
|
|
9d7d3f |
- switch (err) {
|
|
|
9d7d3f |
- case SSL_ERROR_BAD_MAC_ALERT:
|
|
|
9d7d3f |
- case SSL_ERROR_BAD_MAC_READ:
|
|
|
9d7d3f |
- case SSL_ERROR_HANDSHAKE_FAILURE_ALERT:
|
|
|
9d7d3f |
- case SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT:
|
|
|
9d7d3f |
- case SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE:
|
|
|
9d7d3f |
- case SSL_ERROR_ILLEGAL_PARAMETER_ALERT:
|
|
|
9d7d3f |
- case SSL_ERROR_NO_CYPHER_OVERLAP:
|
|
|
9d7d3f |
- case SSL_ERROR_BAD_SERVER:
|
|
|
9d7d3f |
- case SSL_ERROR_BAD_BLOCK_PADDING:
|
|
|
9d7d3f |
- case SSL_ERROR_UNSUPPORTED_VERSION:
|
|
|
9d7d3f |
- case SSL_ERROR_PROTOCOL_VERSION_ALERT:
|
|
|
9d7d3f |
- case SSL_ERROR_RX_MALFORMED_FINISHED:
|
|
|
9d7d3f |
- case SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE:
|
|
|
9d7d3f |
- case SSL_ERROR_DECODE_ERROR_ALERT:
|
|
|
9d7d3f |
- case SSL_ERROR_RX_UNKNOWN_ALERT:
|
|
|
9d7d3f |
- return PR_TRUE;
|
|
|
9d7d3f |
- default:
|
|
|
9d7d3f |
- return PR_FALSE;
|
|
|
9d7d3f |
- }
|
|
|
9d7d3f |
-}
|
|
|
9d7d3f |
-
|
|
|
9d7d3f |
/* update blocking direction in case of PR_WOULD_BLOCK_ERROR */
|
|
|
9d7d3f |
static void nss_update_connecting_state(ssl_connect_state state, void *secret)
|
|
|
9d7d3f |
{
|
|
|
9d7d3f |
@@ -1236,10 +1206,6 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
|
|
|
9d7d3f |
switch (data->set.ssl.version) {
|
|
|
9d7d3f |
default:
|
|
|
9d7d3f |
case CURL_SSLVERSION_DEFAULT:
|
|
|
9d7d3f |
- if(data->state.ssl_connect_retry) {
|
|
|
9d7d3f |
- infof(data, "TLS disabled due to previous handshake failure\n");
|
|
|
9d7d3f |
- sslver->max = SSL_LIBRARY_VERSION_3_0;
|
|
|
9d7d3f |
- }
|
|
|
9d7d3f |
return CURLE_OK;
|
|
|
9d7d3f |
|
|
|
9d7d3f |
case CURL_SSLVERSION_TLSv1:
|
|
|
9d7d3f |
@@ -1293,12 +1259,8 @@ static CURLcode nss_fail_connect(struct ssl_connect_data *connssl,
|
|
|
9d7d3f |
struct SessionHandle *data,
|
|
|
9d7d3f |
CURLcode curlerr)
|
|
|
9d7d3f |
{
|
|
|
9d7d3f |
- SSLVersionRange sslver;
|
|
|
9d7d3f |
PRErrorCode err = 0;
|
|
|
9d7d3f |
|
|
|
9d7d3f |
- /* reset the flag to avoid an infinite loop */
|
|
|
9d7d3f |
- data->state.ssl_connect_retry = FALSE;
|
|
|
9d7d3f |
-
|
|
|
9d7d3f |
if(is_nss_error(curlerr)) {
|
|
|
9d7d3f |
/* read NSPR error code */
|
|
|
9d7d3f |
err = PR_GetError();
|
|
|
9d7d3f |
@@ -1315,17 +1277,6 @@ static CURLcode nss_fail_connect(struct ssl_connect_data *connssl,
|
|
|
9d7d3f |
/* cleanup on connection failure */
|
|
|
9d7d3f |
Curl_llist_destroy(connssl->obj_list, NULL);
|
|
|
9d7d3f |
connssl->obj_list = NULL;
|
|
|
9d7d3f |
-
|
|
|
9d7d3f |
- if((SSL_VersionRangeGet(connssl->handle, &sslver) == SECSuccess)
|
|
|
9d7d3f |
- && (sslver.min == SSL_LIBRARY_VERSION_3_0)
|
|
|
9d7d3f |
- && (sslver.max == SSL_LIBRARY_VERSION_TLS_1_0)
|
|
|
9d7d3f |
- && isTLSIntoleranceError(err)) {
|
|
|
9d7d3f |
- /* schedule reconnect through Curl_retry_request() */
|
|
|
9d7d3f |
- data->state.ssl_connect_retry = TRUE;
|
|
|
9d7d3f |
- infof(data, "Error in TLS handshake, trying SSLv3...\n");
|
|
|
9d7d3f |
- return CURLE_OK;
|
|
|
9d7d3f |
- }
|
|
|
9d7d3f |
-
|
|
|
9d7d3f |
return curlerr;
|
|
|
9d7d3f |
}
|
|
|
9d7d3f |
|
|
|
9d7d3f |
@@ -1434,9 +1385,6 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
|
|
|
9d7d3f |
infof(data, "warning: support for SSL_CBC_RANDOM_IV not compiled in\n");
|
|
|
9d7d3f |
#endif
|
|
|
9d7d3f |
|
|
|
9d7d3f |
- /* reset the flag to avoid an infinite loop */
|
|
|
9d7d3f |
- data->state.ssl_connect_retry = FALSE;
|
|
|
9d7d3f |
-
|
|
|
9d7d3f |
if(data->set.ssl.cipher_list) {
|
|
|
9d7d3f |
if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) {
|
|
|
9d7d3f |
curlerr = CURLE_SSL_CIPHER;
|
|
|
9d7d3f |
--
|
|
|
9d7d3f |
2.1.0
|
|
|
9d7d3f |
|
|
|
9d7d3f |
|
|
|
9d7d3f |
From e21cf86258c3cc2042dfb531cbf94ce2f5405d8c Mon Sep 17 00:00:00 2001
|
|
|
9d7d3f |
From: Kamil Dudka <kdudka@redhat.com>
|
|
|
9d7d3f |
Date: Wed, 29 Oct 2014 14:24:54 +0100
|
|
|
9d7d3f |
Subject: [PATCH 2/2] transfer: drop the code handling the ssl_connect_retry
|
|
|
9d7d3f |
flag
|
|
|
9d7d3f |
|
|
|
9d7d3f |
Its last use has been removed by the previous commit.
|
|
|
9d7d3f |
|
|
|
9d7d3f |
Upstream-commit: 276741af4ddebe0cc0d446712fb8dfdf0c140e7b
|
|
|
9d7d3f |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
9d7d3f |
---
|
|
|
9d7d3f |
lib/transfer.c | 12 ++++--------
|
|
|
9d7d3f |
lib/urldata.h | 3 ---
|
|
|
9d7d3f |
2 files changed, 4 insertions(+), 11 deletions(-)
|
|
|
9d7d3f |
|
|
|
9d7d3f |
diff --git a/lib/transfer.c b/lib/transfer.c
|
|
|
9d7d3f |
index 330b37a..dff6838 100644
|
|
|
9d7d3f |
--- a/lib/transfer.c
|
|
|
9d7d3f |
+++ b/lib/transfer.c
|
|
|
9d7d3f |
@@ -1269,8 +1269,6 @@ CURLcode Curl_pretransfer(struct SessionHandle *data)
|
|
|
9d7d3f |
data->state.errorbuf = FALSE; /* no error has occurred */
|
|
|
9d7d3f |
data->state.httpversion = 0; /* don't assume any particular server version */
|
|
|
9d7d3f |
|
|
|
9d7d3f |
- data->state.ssl_connect_retry = FALSE;
|
|
|
9d7d3f |
-
|
|
|
9d7d3f |
data->state.authproblem = FALSE;
|
|
|
9d7d3f |
data->state.authhost.want = data->set.httpauth;
|
|
|
9d7d3f |
data->state.authproxy.want = data->set.proxyauth;
|
|
|
9d7d3f |
@@ -1848,12 +1846,10 @@ CURLcode Curl_retry_request(struct connectdata *conn,
|
|
|
9d7d3f |
!(conn->handler->protocol&(CURLPROTO_HTTP|CURLPROTO_RTSP)))
|
|
|
9d7d3f |
return CURLE_OK;
|
|
|
9d7d3f |
|
|
|
9d7d3f |
- if(/* workaround for broken TLS servers */ data->state.ssl_connect_retry ||
|
|
|
9d7d3f |
- ((data->req.bytecount +
|
|
|
9d7d3f |
- data->req.headerbytecount == 0) &&
|
|
|
9d7d3f |
- conn->bits.reuse &&
|
|
|
9d7d3f |
- !data->set.opt_no_body &&
|
|
|
9d7d3f |
- data->set.rtspreq != RTSPREQ_RECEIVE)) {
|
|
|
9d7d3f |
+ if((data->req.bytecount + data->req.headerbytecount == 0) &&
|
|
|
9d7d3f |
+ conn->bits.reuse &&
|
|
|
9d7d3f |
+ !data->set.opt_no_body &&
|
|
|
9d7d3f |
+ (data->set.rtspreq != RTSPREQ_RECEIVE)) {
|
|
|
9d7d3f |
/* We got no data, we attempted to re-use a connection and yet we want a
|
|
|
9d7d3f |
"body". This might happen if the connection was left alive when we were
|
|
|
9d7d3f |
done using it before, but that was closed when we wanted to read from
|
|
|
9d7d3f |
diff --git a/lib/urldata.h b/lib/urldata.h
|
|
|
9d7d3f |
index c91bcff..04f590d 100644
|
|
|
9d7d3f |
--- a/lib/urldata.h
|
|
|
9d7d3f |
+++ b/lib/urldata.h
|
|
|
9d7d3f |
@@ -1288,9 +1288,6 @@ struct UrlState {
|
|
|
9d7d3f |
} proto;
|
|
|
9d7d3f |
/* current user of this SessionHandle instance, or NULL */
|
|
|
9d7d3f |
struct connectdata *current_conn;
|
|
|
9d7d3f |
-
|
|
|
9d7d3f |
- /* if true, force SSL connection retry (workaround for certain servers) */
|
|
|
9d7d3f |
- bool ssl_connect_retry;
|
|
|
9d7d3f |
};
|
|
|
9d7d3f |
|
|
|
9d7d3f |
|
|
|
9d7d3f |
--
|
|
|
9d7d3f |
2.1.0
|
|
|
9d7d3f |
|