cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: SSLv3 fallback attack POODLE

From: Kamil Dudka <kdudka_at_redhat.com>
Date: Wed, 29 Oct 2014 15:42:43 +0100

On Friday 24 October 2014 14:57:00 Ray Satiro wrote:
> On 10/24/2014 7:44 AM, Daniel Stenberg wrote:
> > On Fri, 24 Oct 2014, Kamil Dudka wrote:
> >> Should I unimplement the fallback to SSL 3.0 in the NSS backend now,
> >> or wait till Ray's patch appears upstream?
> >
> > I'm digging up Ray's patch just now and I've pushed it!
>
> Two more to look at, GSKit and PolarSSL. Patrick Monnerat already got to
> GSKit this morning [1]. PolarSSL has SSLv3 support by default unless
> it's changed at compile time. It is the minimum version:
>
> #define SSL_MIN_MAJOR_VERSION SSL_MAJOR_VERSION_3
> #define SSL_MIN_MINOR_VERSION SSL_MINOR_VERSION_0
>
> According to the PolarSSL advisory that can be overridden at runtime
> [2]. vtls/polarssl.c doesn't have logic for CURL_SSLVERSION_DEFAULT
> therefore my understanding is PolarSSL's minimum version (SSLv3 I assume
> in most cases) is the default. I changed it using the runtime method to
> make the default TLS 1.0 at minimum [3].
>
> Regarding the fallback in NSS do you mean the obsolete code that enables
> a connection retry at the end of nss_fail_connect() in vtls/nss.c? That
> looks like it can go.

I have just pushed a patch that drops it:

https://github.com/bagder/curl/compare/b5ed5843a4...276741af4d

Kamil

> [1]: https://github.com/bagder/curl/commit/3ca5604
> [2]:
> https://polarssl.org/tech-updates/security-advisories/polarssl-security-advi
> sory-2014-03-poodle-attack-on-ssl-v3 [3]:
> https://github.com/jay/curl/compare/poodlefix
>
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-library
> Etiquette: http://curl.haxx.se/mail/etiquette.html
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-10-29