Permalink
Browse files

nss: Fall back to latest supported SSL version

NSS may be built without support for the latest SSL/TLS versions,
leading to "SSL version range is not valid" errors when the library
code supports a recent version (e.g. TLS v1.3) but it has explicitly
been disabled.

This change adjusts the maximum SSL version requested by libcurl to
be the maximum supported version at runtime, as long as that version
is at least as high as the minimum version required by libcurl.

Fixes #3261
  • Loading branch information...
Paul Howarth
Paul Howarth committed Dec 3, 2018
1 parent 847b130 commit 0751db515a4272e6bd965da45aaa2d27f55f6537
Showing with 9 additions and 0 deletions.
  1. +9 −0 lib/vtls/nss.c
@@ -1776,6 +1776,7 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
CURLcode result;
bool second_layer = FALSE;
SSLVersionRange sslver_supported;

SSLVersionRange sslver = {
SSL_LIBRARY_VERSION_TLS_1_0, /* min */
@@ -1832,6 +1833,14 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
/* enable/disable the requested SSL version(s) */
if(nss_init_sslver(&sslver, data, conn) != CURLE_OK)
goto error;
if(SSL_VersionRangeGetSupported(ssl_variant_stream,
&sslver_supported) != SECSuccess)
goto error;
if(sslver_supported.max < sslver.max && sslver_supported.max >= sslver.min) {
infof(data, "Falling back (from %d) to max supported SSL version (%d)\n",
sslver.max, sslver_supported.max);
sslver.max = sslver_supported.max;
}
if(SSL_VersionRangeSet(model, &sslver) != SECSuccess)
goto error;

0 comments on commit 0751db5

Please sign in to comment.