On 20/03/15 19:29, Kamil Dudka wrote:
On Monday 09 March 2015 14:34:31 Alessandro Ghedini wrote:
Hello,
I updated the checks as Kamil suggested. Now False Start is only used with
TLS 1.2, ECDHE and AES GCM like in newer firefox versions. This kind of
reduces the False Start usability, since NSS doesn't enable ECC ciphers by
default and they
need to manually selected like so:
$ src/curl -v https://ghedini.me --ciphers ecdhe_rsa_aes_128_gcm_sha_256
--false-start
But this may change in the future I suppose. Also, AFAICT NSS doesn't
support AES 256 GCM, so there's that too, but I guess that in most servers
if AES 256 is enabled, AES 128 will be as well.
See attached patches.
Cheers
I have pushed them:
https://github.com/bagder/curl/compare/a332922a52...1f651d1d4d
Thanks for the contribution!
I have come across some issues building with old versions of NSS in the
new release of curl (7.42.0). Whilst NSS has had the symbol
SSL_ENABLE_FALSE_START since version 3.12.8, some of the additional
symbols used in the false start support were introduced considerably
more recently:
SSL_SetCanFalseStartCallback - introduced in nss 3.15.4
SSL_LIBRARY_VERSION_TLS_1_2 - introduced in nss 3.15.1
This is causing compile errors for my Fedora 16 (nss 3.14.1), 17 (nss
3.143) and 18 (nss 3.15.3) builds.
I think the fix is probably to drop the false start support with nss <
3.15.4. Any other opinions/options?
Paul.
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
