cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [libmicrohttpd] SSL handshake fails between libcurl and libgnutls/MHD

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Tue, 24 Jan 2012 00:03:57 +0100 (CET)

On Mon, 23 Jan 2012, Nikos Mavrogiannopoulos wrote:

>> please tell me how I can ask GnuTLS to use SSL 3.0 _without_ being
>> vulnerable to something like the "beast" attack?
>
> You cannot. SSL 3.0 and TLS 1.0 are vulnerable to this attack. TLS 1.1 and
> later versions aren't. There are hacks to mitigate the impact (only on the
> outgoing packets), but were removed from gnutls once TLS 1.1 was introduced
> (because they were causing issues with old servers).

Ah, ok then I understand it better. I thought you still had that ability for
those who'd still use one of the older SSL versions.

I've corrected the used string now in libcurl and it will be included in the
upcoming release that is due to ship within 24 hours.

>> I have read the priority string section of the manual but I must be
>> equipped with lesser brain cells than the humans that chapter is aimed for.
>
> Could you point me what was not clear to you? That way it would be easier
> for me to elaborate or rewrite parts.

It's not easy to tell what makes documentation hard to read or to understand.
That syntax format is very large and probably very competent, but all I wanted
was to find a string that would tell gnutls to use (or prefer) SSL3 and I
thought I did. Sorry for not being able to describe it better.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2012-01-24