secur32: Take schannel backend capabilities into account when configuring enabled protocols.

Jacek Caban jacek at codeweavers.com
Fri Mar 29 04:50:04 CDT 2013 

Hi Ken,

On 03/28/13 20:31, Ken Thomases wrote:
> On Mar 28, 2013, at 6:05 AM, Jacek Caban wrote:
>
>> --- a/dlls/secur32/schannel_macosx.c
>> +++ b/dlls/secur32/schannel_macosx.c
>> @@ -630,6 +630,11 @@ static OSStatus schan_push_adapter(SSLConnectionRef transport, const void *buff,
>>      return ret;
>>  }
>>  
>> +DWORD schan_imp_enabled_protocols(void)
>> +{
>> +    /* NOTE: No support for TLS 1.1 and TLS 1.2 */
>> +    return SP_PROT_SSL2_CLIENT | SP_PROT_SSL3_CLIENT | SP_PROT_TLS1_0_CLIENT;
>> +}
> Mac OS X 10.8 introduced support for TLS 1.1 and 1.2.  You can test at build time with:
>
> #if MAC_OS_X_VERSION_MAX_ALLOWED >= 1080
> ...
> #else
> ...
> #endif
>
>
> If we want to support building on 10.8 for deployment to earlier versions, we'd do something like:
>
> #if MAC_OS_X_VERSION_MAX_ALLOWED >= 1080
> 	SSLProtocol maxProtocol;
> 	if (SSLGetProtocolVersionMax != NULL && SSLGetProtocolVersionMax(context, &maxProtocol) == noErr)
> 	{
> 		... compare maxProtocol against kTLSProtocol11 and kTLSProtocol12 ...
> 	}
> ...
> #else
> ...
> #endif

Thanks for the pointers, I've been meaning to explore it as follow-up.
My problem is that I'm still on 10.6 with Xcode 3.2. Would you mind
taking care of the patch?

> The idea is that SSLGetProtocolVersionMax() would be weak linked, so we'd check if it was actually available before calling it.  Of course, the other complication is that that function requires a context parameter, but we can create one just for the query if we're interested in the framework capabilities (as opposed to what's been configured for a particular context).

Yes, in this case we're only interested in framework capabilities. We
should determine protocols used for given context ourselves, based on
caller's requested protocol and confuration, and pass that to framework.
Setting up framework is not implemented yet, I have patches for that
that I want to test a bit more before sending.

Thanks,
Jacek

More information about the wine-devel mailing list