cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: SSLv3 fallback attack POODLE

From: Ray Satiro <raysatiro_at_yahoo.com>
Date: Tue, 04 Nov 2014 13:58:31 -0500

On 11/4/2014 5:42 AM, Daniel Stenberg wrote:
> Thanks a lot, merged and pushed just now!

I took a look and AFAICT all changes to disable SSLv3 by default in all
SSL backends are now in the central repo. One nagging thing though from
my original post, I still don't understand why CyaSSL cannot be
configured to use TLS 1.0-1.2 by default. Code currently is this:

   default:
   case CURL_SSLVERSION_DEFAULT:
   case CURL_SSLVERSION_TLSv1:
     infof(data, "CyaSSL cannot be configured to use TLS 1.0-1.2, "
           "TLS 1.0 is used exclusively\n");
     req_method = TLSv1_client_method();
     break;

Using the highest possible version seems to be the most logical thing to
do and what is done with all the other backends. I read the CyaSSL
documentation and it says in section 4.2.3 that "... a client that uses
the CyaSSLv23_client_method() function will use the highest protocol
version supported by the server and downgrade to SSLv3 if needed." [1].
I can't find any specifics on the downgrade in the manual, whether it
happens automatically etc. Regardless does its emulation function
SSLv23_client_method() not provide the same behavior as OpenSSL, and
can't we just use that and disable SSLv3, like with the other SSL backends?

git blame shows commit ad34a2d [2] for the comment line and it says:
Bug: The original CURL_SSLVERSION_TLSv1 value enables only TLS 1.0 (it
did the same before this commit), because CyaSSL cannot be configured to
use TLS 1.0-1.2.

There is no reference to the bug# and I can't find it. The actual code
traces back to 2011 to the initial cyassl.c commit [3].

[1]: http://www.yassl.com/documentation/CyaSSL-Manual.pdf
[2]: https://github.com/bagder/curl/commit/ad34a2d
[3]: https://github.com/bagder/curl/commit/a8f30fa

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-11-04