curl-library
Re: how to enable SSLv3 in libcurl 7.39
Date: Sun, 11 Jan 2015 00:30:32 -0500
On 1/2/2015 12:42 PM, Ray Satiro wrote:
> On 1/2/2015 3:46 AM, Dan Fandrich wrote:
>> Also, a big no-no: this patch seems to enable SSLv2 for the Cyassl
>> back-end when the new option is used.
>
> Well, no, it shouldn't do that. CyaSSL has logic very similar to
> OpenSSL in that the protocol versions are set some time after the
> object has been created. In the patch you'll see that after the handle
> is created I set the minimum protocol version to SSLv3 if the CyaSSL
> version is >= 3.3.0, since SSLv3 is disabled by default >= 3.3.0. If
> the CyaSSL version is <3.3.0 then SSLv3 is enabled by default, I
> thought... I also thought SSLv2 was not enabled for
> SSLv23_client_method... but I will follow up with the CyaSSL team to
> make sure we're covered in all use cases.
I spoke with a developer at wolfSSL (makes CyaSSL) and he told me that
SSLv2 was never supported in any version [1].
[1]: http://www.yassl.com/forums/post1870.html#p1870
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-01-11