Re: how to enable SSLv3 in libcurl 7.39
Date: Fri, 02 Jan 2015 12:42:05 -0500
On 1/2/2015 3:46 AM, Dan Fandrich wrote:
> On Fri, Jan 02, 2015 at 02:45:32AM -0500, Ray Satiro wrote:
>> CURL_SSLVERSION_SSLv3 is exclusively SSLv3 . There is no longer a define for
>> SSLv3 or later. The default is now TLS 1.0 or later. I have attached a patch
>> that adds legacy support for CURL_SSLVERSION_SSLv3_OR_LATER to all backends; I
>> wonder if it's useful in your situation or anyone's?
> I noticed some semantic differences between some of the back-ends with this
> patch. For example, in axTLS and OpenSSL, if SSL3 cannot be set due to the
> back-end version of configuration, there is no error returned.
That was intentional, CURL_SSLVERSION_SSLv3_OR_LATER is meant to mimic
the old default behavior, so none of them should fail if SSLv3 cannot be
used. As I noted in the doc changes:
-- SSLv3 is included when attempting to figure which minimum protocol version to use. This define has the same behavior as CURL_SSLVERSION_DEFAULT did in versions prior to 7.39.0, except that the fallback implementation for buggy SSLv3 servers (only used for NSS SSL) no longer exists. > There is also > another difference I noted (unrelated to your patch), namely that for some > back-ends some of the existing CURL_SSLVERSION_* options select not just one > specific SSL version but rather set the given version as a minimum instead. > This should be at minimum documented in the man page. I looked into this and I only see the bug in PolarSSL. I've attached a patch to fix the problem. Also I noticed gskit.c for exclusive SSLv3 uses CURL_GSKPROTO_SSLV2_MASK not CURL_GSKPROTO_SSLV3_MASK, so I've attached a patch for that as well. > Also, a big no-no: this patch seems to enable SSLv2 for the Cyassl > back-end when the new option is used. Well, no, it shouldn't do that. CyaSSL has logic very similar to OpenSSL in that the protocol versions are set some time after the object has been created. In the patch you'll see that after the handle is created I set the minimum protocol version to SSLv3 if the CyaSSL version is >= 3.3.0, since SSLv3 is disabled by default >= 3.3.0. If the CyaSSL version is <3.3.0 then SSLv3 is enabled by default, I thought... I also thought SSLv2 was not enabled for SSLv23_client_method... but I will follow up with the CyaSSL team to make sure we're covered in all use cases.Received on 2015-01-02