cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH] openssl: make it possible to build without SSLv3

From: Alessandro Ghedini <alessandro_at_ghedini.me>
Date: Mon, 10 Nov 2014 13:17:36 +0100

On lun, nov 10, 2014 at 03:13:21 -0500, Ray Satiro wrote:
> On 11/9/2014 4:36 PM, Guenter wrote:
> >Hi Ray,
> >On 08.11.2014 20:43, Ray Satiro wrote:
> >>I'm under the impression it's possible regardless. Following the changes
> >>to disable SSLv3 by default at one point I had tested against OpenSSL
> >>built with no-ssl3 and when I tried SSLv3 in curl I received an
> >>unsupported protocol error message. Maybe I forgot to recompile libcurl.
> >here's a probably related thread from the httpd view:
> >http://mail-archives.apache.org/mod_mbox/httpd-dev/201410.mbox/%3C54501F91.2080104@aldan.algebra.com%3E
> >
>
> I just tried OpenSSL 1.0.1j no-ssl3 and if I pass -3 to curl I still get a
> SSLv3 client hello and connection.

Yeah. The thing about no-ssl3 is that AFAICT, it only disables SSLv3 when
SSLv23_client_method() is used, but the SSLv3_* functions still work (which is
IMO wrong).

> Still doesn't explain what I saw with unsupported protocol

Not sure if this is the same situation as yours, but e.g. https://example.com
doesn't support SSLv3, so when I tried "curl -3 https://example.com" it failed
with the error "sslv3 alert handshake failure". It took me a while to realize
that the error came from the server and not curl... :/

Cheers

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

Received on 2014-11-10