cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: SSLv3 fallback attack POODLE

From: Dan Fandrich <dan_at_coneharvesters.com>
Date: Thu, 16 Oct 2014 09:53:57 +0200

On Thu, Oct 16, 2014 at 07:30:39AM +0000, Bruno Thomsen wrote:
> From a security aspect SSLv3 should be dropped completely due to its many weaknesses.
> I think it would be a good move to follow in the footsteps of libressl.
> Legacy systems are most likely also using an old version of curl.

That's probably the right response. Ideally, we could provide an option like
--ssl-allow-beast to allow SSL3.0 if absolutely necessary, but if this were
hidden behind a compile-time option instead, I wouldn't be too upset. It's
irresponsible to allow SSL3 by default any more.

>>> Dan
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-10-16