cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: SSLv3 fallback attack POODLE

From: Ray Satiro <raysatiro_at_yahoo.com>
Date: Mon, 03 Nov 2014 01:03:35 -0500

On 10/24/2014 2:57 PM, Ray Satiro wrote:
> PolarSSL has SSLv3 support by default unless it's changed at compile
> time. It is the minimum version:
>
> #define SSL_MIN_MAJOR_VERSION SSL_MAJOR_VERSION_3
> #define SSL_MIN_MINOR_VERSION SSL_MINOR_VERSION_0
>
> According to the PolarSSL advisory that can be overridden at runtime
> [2]. vtls/polarssl.c doesn't have logic for CURL_SSLVERSION_DEFAULT
> therefore my understanding is PolarSSL's minimum version (SSLv3 I
> assume in most cases) is the default. I changed it using the runtime
> method to make the default TLS 1.0 at minimum [3].

I can't find that I got any feedback on this PolarSSL change and it
doesn't look as though it ever made it to the central repo. I know the
next curl release is a few days away. If there's a problem with it or
you want it as a patch let me know. It would be good if someone familiar
with PolarSSL could take a look and make sure the change is OK.

> [2]:
> https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-03-poodle-attack-on-ssl-v3
> [3]: https://github.com/jay/curl/compare/poodlefix

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-11-03