cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Libxurl use only TLSv1_2

From: Nick Zitzmann <nick_at_chronosnet.com>
Date: Mon, 29 Apr 2013 14:03:53 -0600

On Apr 29, 2013, at 1:15 PM, Indtiny s <indtiny_at_gmail.com> wrote:

> I have compiled libcurl with openssl , When I tried for some TLS handshake .
>
> Curl is trying to send the both the version i.e TLSv1 and TLSv1.2 .
>
> How to make curl start handshake with only TLSv1.2 only ..?

If I'm reading that screen shot correctly, it appears that OpenSSL asked the server for a TLS 1.2 session, but the server downgraded to 1.0. I'm not surprised; TLS 1.2 support is actually quite rare among servers, because as of now, only one Web browser (Safari, in iOS 5 and Mountain Lion) uses it, and there hasn't been a major security hole in TLS 1.0 yet that couldn't be worked around, so most servers don't support TLS 1.1 or 1.2 yet.

If the server is accessible on the public Internet, then you can use Qualys' server security tester to verify whether or not the server supports TLS 1.2: <https://www.ssllabs.com/ssltest/index.html>

If my suspicion is correct, then I wouldn't worry too much. TLS 1.2 is neat, but 1.0 is generally secure as long as compression is turned off (which libcurl turns off) and the library splits packets when using a CBC cipher (which I'm pretty sure OpenSSL does).

> curl_easy_setopt(curl, CURLOPT_SSLVERSION,CURL_SSLVERSION_TLSv1_2);
> but CURL_SSLVERSION_TLSv1_2 is not defined in the curl 7.28.1

That's because, when libcurl is configured to use TLSv1, it will automatically use the highest version number supported by your TLS library, and downgrade to TLS 1.0 if the server doesn't support 1.1 or 1.2. There's no separate option here because, until a serious problem is found in 1.0, there doesn't need to be a separate option.

Nick Zitzmann
<http://www.chronosnet.com/>

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-04-29