cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [libmicrohttpd] SSL handshake fails between libcurl and libgnutls/MHD

From: Nikos Mavrogiannopoulos <nmav_at_gnutls.org>
Date: Tue, 24 Jan 2012 00:07:48 +0100

On 01/23/2012 11:51 PM, Nikos Mavrogiannopoulos wrote:

> You cannot. SSL 3.0 and TLS 1.0 are vulnerable to this attack. TLS 1.1
> and later versions aren't. There are hacks to mitigate the impact (only
> on the outgoing packets), but were removed from gnutls once TLS 1.1 was
> introduced (because they were causing issues with old servers).

Note however that the combination of the cipher ARCFOUR with SSL 3.0 and
TLS 1.0 is not vulnerable to these attacks. Thus a string to use when
SSL 3.0 is required could be
"NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0:-CIPHER-ALL:+ARCFOUR-128".

regards,
Nikos

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-01-24

This message: [ Message body ]
Next message: Daniel Stenberg: "Re: [libmicrohttpd] SSL handshake fails between libcurl and libgnutls/MHD"
Previous message: Nikos Mavrogiannopoulos: "Re: [libmicrohttpd] SSL handshake fails between libcurl and libgnutls/MHD"
In reply to: Nikos Mavrogiannopoulos: "Re: [libmicrohttpd] SSL handshake fails between libcurl and libgnutls/MHD"
Next in thread: Daniel Stenberg: "Re: [libmicrohttpd] SSL handshake fails between libcurl and libgnutls/MHD"
Reply: Daniel Stenberg: "Re: [libmicrohttpd] SSL handshake fails between libcurl and libgnutls/MHD"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]