secur32: Take schannel backend capabilities into account when configuring enabled protocols.
Ken Thomases
ken at codeweavers.com
Thu Mar 28 14:31:07 CDT 2013
On Mar 28, 2013, at 6:05 AM, Jacek Caban wrote:
> --- a/dlls/secur32/schannel_macosx.c
> +++ b/dlls/secur32/schannel_macosx.c
> @@ -630,6 +630,11 @@ static OSStatus schan_push_adapter(SSLConnectionRef transport, const void *buff,
> return ret;
> }
>
> +DWORD schan_imp_enabled_protocols(void)
> +{
> + /* NOTE: No support for TLS 1.1 and TLS 1.2 */
> + return SP_PROT_SSL2_CLIENT | SP_PROT_SSL3_CLIENT | SP_PROT_TLS1_0_CLIENT;
> +}
Mac OS X 10.8 introduced support for TLS 1.1 and 1.2. You can test at build time with:
#if MAC_OS_X_VERSION_MAX_ALLOWED >= 1080
...
#else
...
#endif
If we want to support building on 10.8 for deployment to earlier versions, we'd do something like:
#if MAC_OS_X_VERSION_MAX_ALLOWED >= 1080
SSLProtocol maxProtocol;
if (SSLGetProtocolVersionMax != NULL && SSLGetProtocolVersionMax(context, &maxProtocol) == noErr)
{
... compare maxProtocol against kTLSProtocol11 and kTLSProtocol12 ...
}
...
#else
...
#endif
The idea is that SSLGetProtocolVersionMax() would be weak linked, so we'd check if it was actually available before calling it. Of course, the other complication is that that function requires a context parameter, but we can create one just for the query if we're interested in the framework capabilities (as opposed to what's been configured for a particular context).
-Ken
More information about the wine-devel
mailing list