On Mar 28, 2013, at 6:05 AM, Jacek Caban wrote:
--- a/dlls/secur32/schannel_macosx.c +++ b/dlls/secur32/schannel_macosx.c @@ -630,6 +630,11 @@ static OSStatus schan_push_adapter(SSLConnectionRef transport, const void *buff, return ret; }
+DWORD schan_imp_enabled_protocols(void) +{
- /* NOTE: No support for TLS 1.1 and TLS 1.2 */
- return SP_PROT_SSL2_CLIENT | SP_PROT_SSL3_CLIENT | SP_PROT_TLS1_0_CLIENT;
+}
Mac OS X 10.8 introduced support for TLS 1.1 and 1.2. You can test at build time with:
#if MAC_OS_X_VERSION_MAX_ALLOWED >= 1080 ... #else ... #endif
If we want to support building on 10.8 for deployment to earlier versions, we'd do something like:
#if MAC_OS_X_VERSION_MAX_ALLOWED >= 1080 SSLProtocol maxProtocol; if (SSLGetProtocolVersionMax != NULL && SSLGetProtocolVersionMax(context, &maxProtocol) == noErr) { ... compare maxProtocol against kTLSProtocol11 and kTLSProtocol12 ... } ... #else ... #endif
The idea is that SSLGetProtocolVersionMax() would be weak linked, so we'd check if it was actually available before calling it. Of course, the other complication is that that function requires a context parameter, but we can create one just for the query if we're interested in the framework capabilities (as opposed to what's been configured for a particular context).
-Ken