curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

CURLOPT_SSL_CIPHER_LIST example in the docs

From: Jeffrey Walton via curl-library <curl-library_at_lists.haxx.se>
Date: Mon, 12 Dec 2022 12:58:52 -0500

Hi Everyone,

Re: https://curl.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html

I 'm not sure this is a good example of CURLOPT_SSL_CIPHER_LIST. The
example uses "TLSv1", which is probably a better example for
CURLOPT_SSLVERSION.

    curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/");
    curl_easy_setopt(curl, CURLOPT_SSL_CIPHER_LIST, "TLSv1");
    ret = curl_easy_perform(curl);
    curl_easy_cleanup(curl);

I think the example would be more useful if it supplied something more
practical, like the following:

    const char cipher_suites[] =
        "HIGH:!aNULL:!kRSA:!PSK:!SRP:!
MD5:!RC4";
    curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/");
    curl_easy_setopt(curl, CURLOPT_SSL_CIPHER_LIST, cipher_suites);
    ret = curl_easy_perform(curl);
    curl_easy_cleanup(curl);

The cipher suites list has several benefits to users:

  * selects High strength TLS ciphers.
  * removes RSA key transport (!kRSA), but keeps RSA authentication (auRSA).
  * removes unneeded cipher suites, like PSK and SRP.
  * removes some weak and wounded algorithms, like MD5 and RC4.
  * facilitates a very small ClientHello, with 50 ciphers or so.

Jeff
-- 
Unsubscribe: https://lists.haxx.se/listinfo/curl-library
Etiquette:   https://curl.se/mail/etiquette.html
Received on 2022-12-12