cURL / Mailing Lists / curl-library / Single Mail


Re: SSLv3 fallback attack POODLE

From: Ray Satiro <>
Date: Tue, 04 Nov 2014 13:58:31 -0500

On 11/4/2014 5:42 AM, Daniel Stenberg wrote:
> Thanks a lot, merged and pushed just now!

I took a look and AFAICT all changes to disable SSLv3 by default in all
SSL backends are now in the central repo. One nagging thing though from
my original post, I still don't understand why CyaSSL cannot be
configured to use TLS 1.0-1.2 by default. Code currently is this:

     infof(data, "CyaSSL cannot be configured to use TLS 1.0-1.2, "
           "TLS 1.0 is used exclusively\n");
     req_method = TLSv1_client_method();

Using the highest possible version seems to be the most logical thing to
do and what is done with all the other backends. I read the CyaSSL
documentation and it says in section 4.2.3 that "... a client that uses
the CyaSSLv23_client_method() function will use the highest protocol
version supported by the server and downgrade to SSLv3 if needed." [1].
I can't find any specifics on the downgrade in the manual, whether it
happens automatically etc. Regardless does its emulation function
SSLv23_client_method() not provide the same behavior as OpenSSL, and
can't we just use that and disable SSLv3, like with the other SSL backends?

git blame shows commit ad34a2d [2] for the comment line and it says:
Bug: The original CURL_SSLVERSION_TLSv1 value enables only TLS 1.0 (it
did the same before this commit), because CyaSSL cannot be configured to
use TLS 1.0-1.2.

There is no reference to the bug# and I can't find it. The actual code
traces back to 2011 to the initial cyassl.c commit [3].


List admin:
Received on 2014-11-04