On Sat, 14 Feb 2015, Alessandro Ghedini wrote:

> I've implemented new libcurl/curl options for enabling TLS false start [0].
> AFAICT only nss supports it so only the nss backend implements the new
> option.

Awesome!

> Both chromium and firefox enable false start only if the server also suports
> NPN/ALPN or if it supports forward secrecy in order to avoid weird/broken
> SSL implementations. Also, since there is a chance that application data is
> sent to an imposter (since we send the data before verifying the server's
> Finished frame), it is also recommended to only enable false start when
> strong ciphers are used. So I wonder, should we do all theses checks in
> libcurl too or just let the user decide?

With the traditional curl approach we would offer all three options:
OFF/ON/WITH-CHECKS, but I guess the "on" case is a potential security problem
waiting to happen when users won't read the documentation and possible
documentation warnings.

So, I'm thinking the checks will be good.

And with the checks, could we perhaps consider enabling it by default at some
point?

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html