- Kamil Dudka brought a patch that enables 6 additional crypto algorithms when

  NSS is used. These ciphers were added in NSS 3.4 and require to be enabled
  explicitly.

diff --git a/CHANGES b/CHANGES
index 8c5230532bd81573550b1f995c1d749b800d6ef3..66b24f71979cc69e8e79e9c817f12c4e3d7eb684 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,11 @@
 
                                   Changelog
 
+Daniel Stenberg (18 Mar 2009)
+- Kamil Dudka brought a patch that enables 6 additional crypto algorithms when
+  NSS is used. These ciphers were added in NSS 3.4 and require to be enabled
+  explicitly.
+ 
 Daniel Stenberg (13 Mar 2009)
 - Use libssh2_version() to present the libssh2 version in case the libssh2
   library is found to support it.

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 6323e36c2f0ed4a84c0f5403c02e9c6ad154abd0..b27798696ddccbb9f69936ae705e2f48ffa06451 100644 (file)
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -22,6 +22,7 @@ This release includes the following bugfixes:
  o curl_easy_duphandle() failed to duplicate cookies at times
  o missing TELNET timeout support in Windows builds
  o missing Curl_read() and write callback result checking in TELNET transfers
+ o more ciphers enabled in libcurl built to use NSS
 
 This release includes the following known bugs:
 
@@ -31,6 +32,7 @@ This release would not have looked like this without help, code, reports and
 advice from friends like these:
 
  Daniel Fandrich, Yang Tse, David James, Chris Deidun, Bill Egert,
- Andre Guibert de Bruet, Andreas Farber, Frank Hempel, Pierre Brico
+ Andre Guibert de Bruet, Andreas Farber, Frank Hempel, Pierre Brico,
+ Kamil Dudka
 
         Thanks! (and sorry if I forgot to mention someone)

diff --git a/lib/nss.c b/lib/nss.c
index ce9e0da5f727ae3dc8b41387793c607373d1decc..373c2839019376ca1bf491e2ceeff18c6d4194da 100644 (file)
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -162,6 +162,18 @@ static const cipher_s cipherlist[] = {
 #endif
 };
 
+/* following ciphers are new in NSS 3.4 and not enabled by default, therefor
+   they are enabled explicitly */
+static const int enable_ciphers_by_default[] = {
+  TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
+  TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
+  TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+  TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+  TLS_RSA_WITH_AES_128_CBC_SHA,
+  TLS_RSA_WITH_AES_256_CBC_SHA,
+  SSL_NULL_WITH_NULL_NULL
+};
+
 #ifdef HAVE_PK11_CREATEGENERICOBJECT
 static const char* pem_library = "libnsspem.so";
 #endif
@@ -954,6 +966,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
 #endif
   char *certDir = NULL;
   int curlerr;
+  const int *cipher_to_enable;
 
   curlerr = CURLE_SSL_CONNECT_ERROR;
 
@@ -1057,6 +1070,16 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
   if(SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, ssl2) != SECSuccess)
     goto error;
 
+  /* enable all ciphers from enable_ciphers_by_default */
+  cipher_to_enable = enable_ciphers_by_default;
+  while (SSL_NULL_WITH_NULL_NULL != *cipher_to_enable) {
+    if (SSL_CipherPrefSet(model, *cipher_to_enable, PR_TRUE) != SECSuccess) {
+      curlerr = CURLE_SSL_CIPHER;
+      goto error;
+    }
+    cipher_to_enable++;
+  }
+
   if(data->set.ssl.cipher_list) {
     if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) {
       curlerr = CURLE_SSL_CIPHER;