On 7/16/2016 6:08 PM, Spork Schivago wrote:
> Is there away to disable it system wide? For example, is there a
> config file somewheres that curl reads from or something where I can
> specifically say --ciphers 'ALL:!SHA!:!MD5:!aNULL' so they're never
> used by default? Or would I have to download the source file and
> custom build curl and it's library?

Put the cipher list in ~/.curlrc but the format depends which SSL
backend you are using. For OpenSSL you could use the default cipher
selection in curl 7.49.1 [1].

cipher = "ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH"

For NSS it's difficult because there's no "ALL". You might be able to do
something like this:

cipher =
"ecdhe_ecdsa_aes_128_gcm_sha_256,ecdhe_rsa_aes_128_gcm_sha_256,dhe_rsa_aes_128_gcm_sha_256,rsa_aes_128_gcm_sha_256,ecdhe_ecdsa_aes_256_sha,ecdhe_rsa_aes_256_sha,dhe_rsa_aes_256_sha,dhe_rsa_aes_256_sha256,dhe_dss_aes_256_sha,rsa_aes_256_sha,aes_256_sha_256,ecdhe_ecdsa_aes_128_sha,ecdhe_rsa_aes_128_sha,dhe_rsa_aes_128_sha,dhe_rsa_aes_128_sha256,dhe_dss_aes_128_sha,rsa_aes_128_sha,aes_128_sha_256,dhe_rsa_3des_sha,dhe_dss_3des_sha,rsa_3des_sha"

But you might not because your curl is so old it may not recognize half
that (it depends whether the package maintainers are updating the cipher
list). And if the cipher test result doesn't change or curl returns
error 56 cipher selection failed then I don't know if it's possible with
NSS in your version.

[1]:
https://github.com/curl/curl/blob/curl-7_49_1/lib/vtls/openssl.h#L119-L120

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-users
FAQ: https://curl.haxx.se/docs/faq.html
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-07-17