Changelog Development Documentation Download libcurl Mailing Lists News
cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: TLS extensions enabled by default in OpenSSL 0.9.8j (fwd)

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Sun, 25 Jan 2009 13:33:31 +0100 (CET)

Hey guys,

I'm interested in feedback on how to deal with this new quirk in OpenSSL.

It seems they now enable a feature by default that makes it fail as a client
to connect to old versions of itself as a server!

I would prefer to avoid a new setopt option to alter this, but can we really
come up with a way to do it any other way?

(This mail is simply my response from the users list, forwarded over where I
think we can discuss technical solutions better.) 

-- 
  / daniel.haxx.se
---------- Forwarded message ----------
Date: Thu, 22 Jan 2009 19:48:00 +0100 (CET)
From: Daniel Stenberg <daniel_at_haxx.se>
Reply-To: the curl tool <curl-users_at_cool.haxx.se>
To: the curl tool <curl-users_at_cool.haxx.se>
Subject: Re: TLS extensions enabled by default in OpenSSL 0.9.8j
On Thu, 22 Jan 2009, Sharad Gupta wrote:
> Are there any plans on being able to pass the "-no_ticket" option that has 
> been introduced in Openssl0.9.8j? Its basically a flag to disable TLS 
> extensions which are enabled by default in 0.9.8j release of OpenSSL.
I had trouble finding info on this topic, so I thought I might help others by 
mentioning that -no_ticket disables "rfc4507bis session ticket support". 
rfc4507bis was later turned into the proper RFC5077 it seems:
 	http://tools.ietf.org/html/rfc5077
> If I try to use the new openssl library with curl, I am not able to connect 
> to SSL enabled HTTP sites using TLSv1. I can only use SSLv3 in that case. And 
> as it stands, there is no way that I can tell curl to pass the "no_ticket" 
> option to openssl.
Ironicly enough it seems servers using older openssl 0.9.7 versions are showing 
this problem.
If I understand things right, the following is a work-around:
diff -u -r1.214 ssluse.c
--- lib/ssluse.c	21 Jan 2009 04:42:47 -0000	1.214
+++ lib/ssluse.c	22 Jan 2009 18:51:03 -0000
@@ -1386,7 +1386,7 @@
       implementations is desired."
    */
-  SSL_CTX_set_options(connssl->ctx, SSL_OP_ALL);
+  SSL_CTX_set_options(connssl->ctx, SSL_OP_ALL|SSL_OP_NO_TICKET);
    /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */
    if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT)
-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2009-01-25