cURL / Mailing Lists / curl-library / Single Mail

curl-library

Adding an >= SSLv3 option?

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Mon, 9 Feb 2015 10:55:17 +0100 (CET)

On Tue, 3 Feb 2015, Ray Satiro via curl-library wrote:

(changed subject to make it more obvious what this mail is about)

> gskit and polarssl patches are bug fixes

Thanks, applied and pushed now!

> sslv3 or later patch is a new value CURL_SSLVERSION_SSLv3_OR_LATER, similar
> to the behavior of CURL_SSLVERSION_DEFAULT prior to 7.39.0. Since the POODLE
> fix there's no client hello for all of SSLv3 - max TLS, and I guess that
> could be useful for compatibility.

Maybe - I'm not entirely convinced. I'm a bit scarred from previous options
when we possibly made it too easy for applications to just "step down" or
disable security measures. Too many API users will just do that without
reading the docs properly to achieve the least amount of obstacles.

I guess it boils down to the question how wide-spread the problem is for
people: applications that are used against both modern servers and against
legacy SSLv3-only (insecure) ones.

> I didn't hear anything back, not sure if that's because part of the list
> wasn't getting my e-mails at that time (thanks for fixing that btw) or there
> just is no interest.

I appologize for not having responded better and more timely on this!

But I'm here now, and I would appreciate some feedback from others on this
topic (in favor or against, either way) before we proceed with it.

> Another thing, I notice CURLOPT_SSLVERSION for return value [2] says
> "Returns CURLE_OK if the option is supported, and CURLE_UNKNOWN_OPTION if
> not." However the interface code for some of the tls backends allow unknown
> values to be treated the same as CURL_SSLVERSION_DEFAULT. So I think either
> the documentation should be changed to reflect that or the code should be
> changed to keep in line with the doc (I think this). Let me know which and I
> will send a patch.

I think we should make the code return error on unknown SSL version values if
built with SSL. I see no point in having all backends deal with crazy input.

I also think we should make CURLOPT_SSLVERSION actually return
CURLE_UNKNOWN_OPTION if built without SSL (which the documentation says) -
which doesn't seem to be the case now!

Would gladly accept patches, thanks!

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2015-02-09