Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: Having trouble building curl from source
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Jeffrey Walton via curl-users <curl-users_at_cool.haxx.se>
Date: Sun, 21 Mar 2021 07:18:50 -0400
On Sun, Mar 21, 2021 at 6:46 AM Daniel Stenberg <daniel_at_haxx.se> wrote:
>
> On Sun, 21 Mar 2021, Jeffrey Walton wrote:
>
> > Are you saying cURL now disables EDG, SSLv2 and SSLv3?
>
> I'm suggeseting that if you have those things enabled in your TLS library,
> you're runnig something old and outdated and you should consider upgrading.
>
> I would probably even claim it is irresponsible to have them enabled so curl
> should probably disable them by default and insist on some extra option to
> enabled them. But I don't think this is a widespread issue.
Be careful of setting policy, like always enable SSLv2 or SSLv3 if the
underlying ssl lib provides it. Or, always disable SSLv2 or SSLv3 even
if the underlying ssl lib provides it.
Giving users a choice with a sane default is a good idea. Like disable
SSLv2 and SSLv3 by default, and make a user do something special to
enable it.
As far as I know, cURL does not provide a --disable-sslv2 or
--disable-sslv3 option (or the enable options), so there's no way to
disable it without the configure ac_cv_func options. Or it did not in
the past.
Jeff
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2021-03-21
Date: Sun, 21 Mar 2021 07:18:50 -0400
On Sun, Mar 21, 2021 at 6:46 AM Daniel Stenberg <daniel_at_haxx.se> wrote:
>
> On Sun, 21 Mar 2021, Jeffrey Walton wrote:
>
> > Are you saying cURL now disables EDG, SSLv2 and SSLv3?
>
> I'm suggeseting that if you have those things enabled in your TLS library,
> you're runnig something old and outdated and you should consider upgrading.
>
> I would probably even claim it is irresponsible to have them enabled so curl
> should probably disable them by default and insist on some extra option to
> enabled them. But I don't think this is a widespread issue.
Be careful of setting policy, like always enable SSLv2 or SSLv3 if the
underlying ssl lib provides it. Or, always disable SSLv2 or SSLv3 even
if the underlying ssl lib provides it.
Giving users a choice with a sane default is a good idea. Like disable
SSLv2 and SSLv3 by default, and make a user do something special to
enable it.
As far as I know, cURL does not provide a --disable-sslv2 or
--disable-sslv3 option (or the enable options), so there's no way to
disable it without the configure ac_cv_func options. Or it did not in
the past.
Jeff
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2021-03-21