cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: SSLv3 fallback attack POODLE

From: Todd A Ouska <todd_at_yassl.com>
Date: Wed, 5 Nov 2014 11:59:53 -0800

> On Nov 4, 2014, at 9:45 PM, Ray Satiro <raysatiro_at_yahoo.com> wrote:
>
> Thanks Todd. I have reviewed your commit to the CyaSSL repo that implemented that change [1]. Based on that I have a commit I believe will bring cyassl.c up to date [2]. If you wouldn't mind taking a look before I put in a request to submit it. Notice I try setting the minimum version to TLS 1.0 and if that fails then TLS 1.2. Instead of doing that each time do you know of a better way at compile time or runtime to handle the NO_OLD_TLS case?

Sure, I looked over your curl commit [1]. In the NO_OLD_TLS case version downgrade is disabled, so using CyaSSL_SetMinVersion(ssl, CYASSL_TLSV1_2); is redundant and not needed. Additionally, if downgrade is enabled (the non NO_OLD_TLS case) the default minimum version is now CYASSL_TLSV1, so the CyaSSL_SetMinVersion(ssl, CYASSL_TLSV1); is also redundant and not needed. Though perhaps it's helpful to leave one of the calls in there (commented out?) for the future in case you decide to set the minimum at TLS 1.1 for example, or allow the user to set it at runtime?

Thanks,
-Todd

>
>
> [1]: https://github.com/cyassl/cyassl/commit/322f79f
> [2]: https://github.com/jay/curl/commit/95fc8d5
>
>

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-11-05