curl-users
Re: SSLv2 still being used in 7.19.2?
Date: Wed, 11 Feb 2009 07:47:53 +0100 (CET)
On Tue, 10 Feb 2009, Frank BASKER wrote:
> I thought SSLv2 was disabled from 7.18.1 onwards
> The following trace shows SSLv2 being used for the initial handshake
> did I miss something?
It is disabled by default. What you're seeing is an artifact of what libcurl
does due to limitations in the OpenSSL API!
For 'default' connections to a server running some sort of SSL/TLS, libcurl
uses the SSLv23_method() function because it is documented to work with SSLv2,
SSLv3 and TLSv1 and no other existing *_method() that OpenSSL has mentions
this. Also, OpenSSL's docs says "This is the best choice when compatibility is
a concern.".
After that call has succeeded, we explicitly disable SSLv2 for the cases where
you haven't explicitly asked for it. It basically means that we use that
function call only to remain open for the server being SSLv3 or TLSv1.
This method of procedure is documented here:
http://www.openssl.org/docs/ssl/SSL_CTX_new.html#
-- / daniel.haxx.se ------------------------------------------------------------------- List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users FAQ: http://curl.haxx.se/docs/faq.html Etiquette: http://curl.haxx.se/mail/etiquette.htmlReceived on 2009-02-11