Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-10-14 13:55:43 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 343230, When retrying on TLS intolerance sites, use SSL v2 compatible hellos

Browse Source 
r=rrelyea
This commit is contained in:
kaie%kuix.de 2006-07-01 03:11:21 +00:00
parent e6dde96640
commit d1d616ab33
1 changed files with 14 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
security/manager/ssl/src/nsNSSIOLayer.cpp
View File

@ -2494,9 +2494,20 @@ nsSSLIOLayerSetOptions(PRFileDesc *fd, PRBool forSTARTTLS,
nsCAutoString key;
key = nsDependentCString(host) + NS_LITERAL_CSTRING(":") + nsPrintfCString("%d", port);
if (nsSSLIOLayerHelpers::isKnownAsIntolerantSite(key) &&
SECSuccess != SSL_OptionSet(fd, SSL_ENABLE_TLS, PR_FALSE)) {
return NS_ERROR_FAILURE;
if (nsSSLIOLayerHelpers::isKnownAsIntolerantSite(key)) {
if (SECSuccess != SSL_OptionSet(fd, SSL_ENABLE_TLS, PR_FALSE))
return NS_ERROR_FAILURE;
// We assume that protocols that use the STARTTLS mechanism should support
// modern hellos. For other protocols, if we suspect a site
// does not support TLS, let's also use V2 hellos.
// One advantage of this approach, if a site only supports the older
// hellos, it is more likely that we will get a reasonable error code
// on our single retry attempt.
if (!forSTARTTLS &&
SECSuccess != SSL_OptionSet(fd, SSL_V2_COMPATIBLE_HELLO, PR_TRUE))
return NS_ERROR_FAILURE;
}
if (SECSuccess != SSL_OptionSet(fd, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE)) {