nss: drop the code for libcurl-level downgrade to SSLv3

author Kamil Dudka <kdudka@redhat.com>

Wed, 29 Oct 2014 13:14:23 +0000 (14:14 +0100)

committer Kamil Dudka <kdudka@redhat.com>

Wed, 29 Oct 2014 13:34:46 +0000 (14:34 +0100)
author Kamil Dudka <kdudka@redhat.com>
Wed, 29 Oct 2014 13:14:23 +0000 (14:14 +0100)
committer Kamil Dudka <kdudka@redhat.com>
Wed, 29 Oct 2014 13:34:46 +0000 (14:34 +0100)
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c

index d7dd98055a4906ef2ea98deb88f1c7e966e1b840..8161b434d0f2c7b0e96128a9293b87494fa6f9e3 100644 (file)
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -935,36 +935,6 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock,
    return SECSuccess;
  }
  
-/* This function is supposed to decide, which error codes should be used
- * to conclude server is TLS intolerant.
- *
- * taken from xulrunner - nsNSSIOLayer.cpp
- */
-static PRBool
-isTLSIntoleranceError(PRInt32 err)
-{
-  switch (err) {
-  case SSL_ERROR_BAD_MAC_ALERT:
-  case SSL_ERROR_BAD_MAC_READ:
-  case SSL_ERROR_HANDSHAKE_FAILURE_ALERT:
-  case SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT:
-  case SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE:
-  case SSL_ERROR_ILLEGAL_PARAMETER_ALERT:
-  case SSL_ERROR_NO_CYPHER_OVERLAP:
-  case SSL_ERROR_BAD_SERVER:
-  case SSL_ERROR_BAD_BLOCK_PADDING:
-  case SSL_ERROR_UNSUPPORTED_VERSION:
-  case SSL_ERROR_PROTOCOL_VERSION_ALERT:
-  case SSL_ERROR_RX_MALFORMED_FINISHED:
-  case SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE:
-  case SSL_ERROR_DECODE_ERROR_ALERT:
-  case SSL_ERROR_RX_UNKNOWN_ALERT:
-    return PR_TRUE;
-  default:
-    return PR_FALSE;
-  }
-}
-
  /* update blocking direction in case of PR_WOULD_BLOCK_ERROR */
  static void nss_update_connecting_state(ssl_connect_state state, void *secret)
  {
@@ -1396,12 +1366,8 @@ static CURLcode nss_fail_connect(struct ssl_connect_data *connssl,
                                   struct SessionHandle *data,
                                   CURLcode curlerr)
  {
-  SSLVersionRange sslver;
    PRErrorCode err = 0;
  
-  /* reset the flag to avoid an infinite loop */
-  data->state.ssl_connect_retry = FALSE;
-
    if(is_nss_error(curlerr)) {
      /* read NSPR error code */
      err = PR_GetError();
@@ -1418,18 +1384,6 @@ static CURLcode nss_fail_connect(struct ssl_connect_data *connssl,
    /* cleanup on connection failure */
    Curl_llist_destroy(connssl->obj_list, NULL);
    connssl->obj_list = NULL;
-
-  if(connssl->handle
-      && (SSL_VersionRangeGet(connssl->handle, &sslver) == SECSuccess)
-      && (sslver.min == SSL_LIBRARY_VERSION_3_0)
-      && (sslver.max != SSL_LIBRARY_VERSION_3_0)
-      && isTLSIntoleranceError(err)) {
-    /* schedule reconnect through Curl_retry_request() */
-    data->state.ssl_connect_retry = TRUE;
-    infof(data, "Error in TLS handshake, trying SSLv3...\n");
-    return CURLE_OK;
-  }
-
    return curlerr;
  }
  
@@ -1550,9 +1504,6 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
      infof(data, "warning: support for SSL_CBC_RANDOM_IV not compiled in\n");
  #endif
  
-  /* reset the flag to avoid an infinite loop */
-  data->state.ssl_connect_retry = FALSE;
-
    if(data->set.ssl.cipher_list) {
      if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) {
        curlerr = CURLE_SSL_CIPHER;
author	Kamil Dudka <kdudka@redhat.com>
	Wed, 29 Oct 2014 13:14:23 +0000 (14:14 +0100)
committer	Kamil Dudka <kdudka@redhat.com>
	Wed, 29 Oct 2014 13:34:46 +0000 (14:34 +0100)