cURL / Mailing Lists / curl-library / Single Mail


Re: how to enable SSLv3 in libcurl 7.39

From: Ray Satiro <>
Date: Sun, 11 Jan 2015 00:30:32 -0500

On 1/2/2015 12:42 PM, Ray Satiro wrote:
> On 1/2/2015 3:46 AM, Dan Fandrich wrote:
>> Also, a big no-no: this patch seems to enable SSLv2 for the Cyassl
>> back-end when the new option is used.
> Well, no, it shouldn't do that. CyaSSL has logic very similar to
> OpenSSL in that the protocol versions are set some time after the
> object has been created. In the patch you'll see that after the handle
> is created I set the minimum protocol version to SSLv3 if the CyaSSL
> version is >= 3.3.0, since SSLv3 is disabled by default >= 3.3.0. If
> the CyaSSL version is <3.3.0 then SSLv3 is enabled by default, I
> thought... I also thought SSLv2 was not enabled for
> SSLv23_client_method... but I will follow up with the CyaSSL team to
> make sure we're covered in all use cases.

I spoke with a developer at wolfSSL (makes CyaSSL) and he told me that
SSLv2 was never supported in any version [1].


List admin:
Received on 2015-01-11