cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: SSLv3 fallback attack POODLE

From: Dan Fandrich <dan_at_coneharvesters.com>
Date: Thu, 16 Oct 2014 10:47:02 +0200

On Thu, Oct 16, 2014 at 10:16:03AM +0200, Kamil Dudka wrote:
> I agree that SSLv3 should be disabled by default but I see no point in hiding
> SSLv3 behind a compile-time option, or creating new run-time options to enable
> it. There already are (lib)curl options to require SSLv3 explicitly.
>
> If an application needs SSLv3 and the SSL backend supports it, libcurl should
> not stand in the way. The application is ultimately responsible for all the
> consequences as long as it explicitly enables SSLv3.

That sounds ok, if it's possible. If it's really possible in all SSL
backends to disable negotiation down to SSLv3 while still allowing it if
explicitly requested (with --sslv3) then I'm fine with that.

>>> Dan
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-10-16

This message: [ Message body ]
Next message: Daniel Stenberg: "Re: SSLv3 fallback attack POODLE"
Previous message: Kamil Dudka: "Re: SSLv3 fallback attack POODLE"
In reply to: Kamil Dudka: "Re: SSLv3 fallback attack POODLE"
Next in thread: Daniel Stenberg: "Re: SSLv3 fallback attack POODLE"
Reply: Daniel Stenberg: "Re: SSLv3 fallback attack POODLE"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]