cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: SSLv3 fallback attack POODLE

From: Kamil Dudka <kdudka_at_redhat.com>
Date: Thu, 16 Oct 2014 10:16:03 +0200

On Thursday, October 16, 2014 09:53:57 Dan Fandrich wrote:
> On Thu, Oct 16, 2014 at 07:30:39AM +0000, Bruno Thomsen wrote:
> > From a security aspect SSLv3 should be dropped completely due to its many
> > weaknesses. I think it would be a good move to follow in the footsteps of
> > libressl. Legacy systems are most likely also using an old version of
> > curl.
>
> That's probably the right response. Ideally, we could provide an option like
> --ssl-allow-beast to allow SSL3.0 if absolutely necessary, but if this were
> hidden behind a compile-time option instead, I wouldn't be too upset. It's
> irresponsible to allow SSL3 by default any more.
>
> >>> Dan

I agree that SSLv3 should be disabled by default but I see no point in hiding
SSLv3 behind a compile-time option, or creating new run-time options to enable
it. There already are (lib)curl options to require SSLv3 explicitly.

If an application needs SSLv3 and the SSL backend supports it, libcurl should
not stand in the way. The application is ultimately responsible for all the
consequences as long as it explicitly enables SSLv3.

Kamil
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-10-16