cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: how to enable SSLv3 in libcurl 7.39

From: Ray Satiro <raysatiro_at_yahoo.com>
Date: Fri, 02 Jan 2015 12:42:05 -0500

On 1/2/2015 3:46 AM, Dan Fandrich wrote:
> On Fri, Jan 02, 2015 at 02:45:32AM -0500, Ray Satiro wrote:
>> CURL_SSLVERSION_SSLv3 is exclusively SSLv3 [1]. There is no longer a define for
>> SSLv3 or later. The default is now TLS 1.0 or later. I have attached a patch
>> that adds legacy support for CURL_SSLVERSION_SSLv3_OR_LATER to all backends; I
>> wonder if it's useful in your situation or anyone's?
> I noticed some semantic differences between some of the back-ends with this
> patch. For example, in axTLS and OpenSSL, if SSL3 cannot be set due to the
> back-end version of configuration, there is no error returned.

That was intentional, CURL_SSLVERSION_SSLv3_OR_LATER is meant to mimic
the old default behavior, so none of them should fail if SSLv3 cannot be
used. As I noted in the doc changes:

--
SSLv3 is included when attempting to figure which minimum protocol 
version to
use. This define has the same behavior as CURL_SSLVERSION_DEFAULT did in
versions prior to 7.39.0, except that the fallback implementation for buggy
SSLv3 servers (only used for NSS SSL) no longer exists.
> There is also
> another difference I noted (unrelated to your patch), namely that for some
> back-ends some of the existing CURL_SSLVERSION_* options select not just one
> specific SSL version but rather set the given version as a minimum instead.
> This should be at minimum documented in the man page.
I looked into this and I only see the bug in PolarSSL. I've attached a 
patch to fix the problem. Also I noticed gskit.c for exclusive SSLv3 
uses CURL_GSKPROTO_SSLV2_MASK not CURL_GSKPROTO_SSLV3_MASK, so I've 
attached a patch for that as well.
> Also, a big no-no: this patch seems to enable SSLv2 for the Cyassl
> back-end when the new option is used.
Well, no, it shouldn't do that. CyaSSL has logic very similar to OpenSSL 
in that the protocol versions are set some time after the object has 
been created. In the patch you'll see that after the handle is created I 
set the minimum protocol version to SSLv3 if the CyaSSL version is >= 
3.3.0, since SSLv3 is disabled by default >= 3.3.0. If the CyaSSL 
version is <3.3.0 then SSLv3 is enabled by default, I thought... I also 
thought SSLv2 was not enabled for SSLv23_client_method... but I will 
follow up with the CyaSSL team to make sure we're covered in all use cases.



-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

  • text/plain attachment: stored
Received on 2015-01-02