curl-library
Re: Fwd: [PATCH] opts: CURLOPT_CAINFO availability depends on SSL engine
Date: Tue, 03 Feb 2015 12:42:04 -0500
On 2/3/2015 2:45 AM, Daniel Stenberg wrote:
> On Tue, 3 Feb 2015, Ray Satiro via curl-library wrote:
>> Also I have some other patches from [2] I didn't hear back about.
>
> Can you please send them again if they're still relevant?
gskit and polarssl patches are bug fixes
sslv3 or later patch is a new value CURL_SSLVERSION_SSLv3_OR_LATER,
similar to the behavior of CURL_SSLVERSION_DEFAULT prior to 7.39.0.
Since the POODLE fix there's no client hello for all of SSLv3 - max TLS,
and I guess that could be useful for compatibility. I didn't hear
anything back, not sure if that's because part of the list wasn't
getting my e-mails at that time (thanks for fixing that btw) or there
just is no interest. For more see [1]. There is still work to do on this
if you are going to add it. I'll add a command line option like -3+ and
probably update its doc entry to warn SSLv3 is insecure.
Another thing, I notice CURLOPT_SSLVERSION for return value [2] says
"Returns CURLE_OK if the option is supported, and CURLE_UNKNOWN_OPTION
if not." However the interface code for some of the tls backends allow
unknown values to be treated the same as CURL_SSLVERSION_DEFAULT. So I
think either the documentation should be changed to reflect that or the
code should be changed to keep in line with the doc (I think this). Let
me know which and I will send a patch.
[1]: http://curl.haxx.se/mail/lib-2015-01/0001.html
[2]: http://curl.haxx.se/libcurl/c/CURLOPT_SSLVERSION.html#RETURN
Received on 2015-02-03