Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: curl with openssl not honoring MaxProtocol in openssl conf
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-users <curl-users_at_lists.haxx.se>
Date: Tue, 3 Jan 2023 17:14:26 +0100 (CET)
On Tue, 3 Jan 2023, Andreas Hasenack via curl-users wrote:
> Tl;DR: it looks like curl isn't respecting openssl's MaxProtocol[1].
This was not done on purpose, but I am also not entirely sure we can or should
do much about it now.
For curl users, I think it is important that we document how it works and that
it works as documented. I believe curl works as documented when it comes to
TLS versions.
curl supports numerous different TLS backends but we try hard to make that
invisible to users. OpenSSL is a popular choice, but not at all the only one.
Users should not have to care about what TLS library that powers curl.
The code that selects what TLS versions to use exists in libcurl and it uses
the dedicated OpenSSL API for this purpose. The documentation for this API
says nothing aobut the openssl config file or how it interacts with that
config file etc. It is not clear to me how we can set our desired TLS version
preferences while at the same time respect the wishes of the config file.
No documentation for curl or libcurl indicate that the OpenSSL config file can
be used to set TLS version limits.
Date: Tue, 3 Jan 2023 17:14:26 +0100 (CET)
On Tue, 3 Jan 2023, Andreas Hasenack via curl-users wrote:
> Tl;DR: it looks like curl isn't respecting openssl's MaxProtocol[1].
This was not done on purpose, but I am also not entirely sure we can or should
do much about it now.
For curl users, I think it is important that we document how it works and that
it works as documented. I believe curl works as documented when it comes to
TLS versions.
curl supports numerous different TLS backends but we try hard to make that
invisible to users. OpenSSL is a popular choice, but not at all the only one.
Users should not have to care about what TLS library that powers curl.
The code that selects what TLS versions to use exists in libcurl and it uses
the dedicated OpenSSL API for this purpose. The documentation for this API
says nothing aobut the openssl config file or how it interacts with that
config file etc. It is not clear to me how we can set our desired TLS version
preferences while at the same time respect the wishes of the config file.
No documentation for curl or libcurl indicate that the OpenSSL config file can
be used to set TLS version limits.
-- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html -- Unsubscribe: https://lists.haxx.se/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2023-01-03