cURL / Mailing Lists / curl-library / Single Mail


Re: SSLv3 fallback attack POODLE

From: Ray Satiro <>
Date: Mon, 03 Nov 2014 01:03:35 -0500

On 10/24/2014 2:57 PM, Ray Satiro wrote:
> PolarSSL has SSLv3 support by default unless it's changed at compile
> time. It is the minimum version:
> According to the PolarSSL advisory that can be overridden at runtime
> [2]. vtls/polarssl.c doesn't have logic for CURL_SSLVERSION_DEFAULT
> therefore my understanding is PolarSSL's minimum version (SSLv3 I
> assume in most cases) is the default. I changed it using the runtime
> method to make the default TLS 1.0 at minimum [3].

I can't find that I got any feedback on this PolarSSL change and it
doesn't look as though it ever made it to the central repo. I know the
next curl release is a few days away. If there's a problem with it or
you want it as a patch let me know. It would be good if someone familiar
with PolarSSL could take a look and make sure the change is OK.

> [2]:
> [3]:

List admin:
Received on 2014-11-03