On Wednesday 22 April 2015 12:38:44 Paul Howarth wrote: > On 20/03/15 19:29, Kamil Dudka wrote: > > On Monday 09 March 2015 14:34:31 Alessandro Ghedini wrote: > >> Hello, > >> > >> I updated the checks as Kamil suggested. Now False Start is only used > >> with > >> TLS 1.2, ECDHE and AES GCM like in newer firefox versions. This kind of > >> reduces the False Start usability, since NSS doesn't enable ECC ciphers > >> by > >> default and they > >> > >> need to manually selected like so: > >>> $ src/curl -v https://ghedini.me --ciphers ecdhe_rsa_aes_128_gcm_sha_256 > >>> --false-start > >> > >> But this may change in the future I suppose. Also, AFAICT NSS doesn't > >> support AES 256 GCM, so there's that too, but I guess that in most > >> servers > >> if AES 256 is enabled, AES 128 will be as well. > >> > >> See attached patches. > >> > >> Cheers > > > > I have pushed them: > > > > https://github.com/bagder/curl/compare/a332922a52...1f651d1d4d > > > > Thanks for the contribution! > > I have come across some issues building with old versions of NSS in the > new release of curl (7.42.0). Whilst NSS has had the symbol > SSL_ENABLE_FALSE_START since version 3.12.8, some of the additional > symbols used in the false start support were introduced considerably > more recently: > > SSL_SetCanFalseStartCallback - introduced in nss 3.15.4 > > SSL_LIBRARY_VERSION_TLS_1_2 - introduced in nss 3.15.1 > > This is causing compile errors for my Fedora 16 (nss 3.14.1), 17 (nss > 3.143) and 18 (nss 3.15.3) builds. > > I think the fix is probably to drop the false start support with nss < > 3.15.4. Any other opinions/options? > > Paul.
If SSL_SetCanFalseStartCallback() is the newest introduced symbol required for the TLS False Start feature to work, we can add autoconf check for the presence of that symbol in NSS libs, and #ifdef the code based on the result of that check. That would cover also the case where a downstream maintainer cherry-picks the feature to an older version of NSS. Kamil ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
