cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: weak cipher suites with OpenSSL, SecureTransport and... ?

From: Marc Hoersken <info_at_marc-hoersken.de>
Date: Sat, 22 Feb 2014 17:03:56 +0100

Am 22.02.2014 16:04, schrieb Marc Hoersken:
> After pushing the change on the 31th of January, I did now notice that
> there seems to be a problem with stunnel and Schannel while using
> TLSv1.2. Disabling it and only allowing SSLv3, TLSv1.0 and TLSv1.1 on
> either site (stunnel config or Internet Explorer options) avoids the issue.
>
> ...
>
> So there seems to be an incompatibility between the stunnel and Schannel
> implementations of TLSv1.2.

I found the reason for this incompatibility to be the MD5 hash algorithm
used for the signature of the self-signed test certificate.
Schannel's implementation of TLSv1.2 does not accept certificates with
signatures which are based upon the MD5 hash algorithm. [1]

In order to fix the issue within the testsuite, I regenerated the
certificate using a SHA1 hash and pushed it to the repository. [2]
I also added a note regarding the impact of the previous changes to the
defaults of WinSSL to the release notes. [3]

 [1]
http://blogs.msdn.com/b/ieinternals/archive/2011/03/25/misbehaving-https-servers-impair-tls-1.1-and-tls-1.2.aspx
 [2]
https://github.com/bagder/curl/commit/b5486adc9bb335818e501b925544dcd6b3fd92e4
 [3]
https://github.com/bagder/curl/commit/e08d0662b7b6e22d0f09b445141fd7827ae68478
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-02-22