cURL / Mailing Lists / curl-library / Single Mail


Re: SSLv3 fallback attack POODLE

From: Todd A Ouska <>
Date: Tue, 4 Nov 2014 13:51:20 -0800

Hi Ray,

> On Nov 4, 2014, at 10:58 AM, Ray Satiro <> wrote:
> On 11/4/2014 5:42 AM, Daniel Stenberg wrote:
>> Thanks a lot, merged and pushed just now!
> I took a look and AFAICT all changes to disable SSLv3 by default in all SSL backends are now in the central repo. One nagging thing though from my original post, I still don't understand why CyaSSL cannot be configured to use TLS 1.0-1.2 by default.

The current github version of CyaSSL and the upcoming release of CyaSSL 3.3 on or about November 10th allows the user to set a minimum version during version downgrade on a single connection attempt:

CyaSSL_SetMinVersion(ssl, CYASSL_TLSV1_1); for example. Previously users would simply end the connection if the resulting version was unsatisfactory, which could be done as early as the certificate handshake message with a callback.

Downgrade for CyaSSL only happens with the v23() methods (CyaSSLv23_client_method() and CyaSSLv23_server_method()), all other methods are version specific. That is,

CyaTLSv1_2_client_method() allows TLS 1.2 connections only.

I hope that helps,

List admin:
Received on 2014-11-04