cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: About CURLOPT_SSLVERSION

From: Dobromir Velev <diadomraz_at_gmail.com>
Date: Mon, 28 Apr 2014 18:35:11 +0300

This is an OpenSSL issue. After 1.0.1 there were several changes which
cause problems during the TLS/SSL Handshake with certain servers.
Suggestions for workaround vary from disabling TLS1.2 to limitng the cipher
list. I personally force an SSL3 handshake whenever such server is
encountered.

Dobromir

On Sun, Apr 6, 2014 at 3:47 AM, Nick Zitzmann <nick_at_chronosnet.com> wrote:

>
> On Apr 5, 2014, at 10:21 AM, Woods <woods.biz_at_gmail.com> wrote:
>
> > I understand CURLOPT_SSLVERSION has default value
> CURL_SSLVERSION_DEFAULT -
> > This will attempt to figure out the remote SSL protocol version, i.e.
> either SSLv3 or TLSv1.
> >
> > However, I do encounter a HTTPS connection, that gives me
> CURLE_SSL_CONNECT_ERROR for easy perform, and I need to set
> CURL_SSLVERSION_SSLv3 to make it work properly.
> >
> > What I wish to find out is whether curl can do this protocol adaptation
> automatically as specified by CURL_SSLVERSION_DEFAULT. Or do I miss
> something in the code? Thanks.
>
> CURLOPT_SSLVERSION_DEFAULT tells the TLS library to use its highest
> supported TLS version at the maximum and SSLv3 at the minimum. If it's not
> downgrading to SSLv3, then either one of these two things (or both) is true:
>
> 1. The server you are accessing is buggy and will not graciously downgrade
> from TLS 1.0/1.1/1.2 to SSLv3.
> 2. The back-end you are using isn't properly configuring SSLv3 when
> CURLOPT_SSLVERSION_DEFAULT is in use (assuming the back-end is not axTLS,
> which does not support SSLv3).
>
> What back-end are you using? I haven't experienced this problem with
> either OpenSSL or Secure Transport. Are you able to connect to this site
> using some other client, e.g. Firefox?
>
> Nick Zitzmann
> <http://www.chronosnet.com/>
>
>
>
>
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-library
> Etiquette: http://curl.haxx.se/mail/etiquette.html
>

-- 
Dobromir Velev
---------------------------------------------------------------------------
"Never attribute to malice that which can be
adequately explained by stupidity"

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-04-28