On Fri, 16 Sep 2016, Michael Felt wrote:

> So, this time I watched a bit more closely re: SSL - my comment is:
> shouldn't SSLv2 just be removed regardless if OpenSSL is (still) supporting
> it?

Yes it should. In fact SSLv3 should also probably be disabled by default, but
then we also know that we have a fairly large amount of users running against
legacy crap that might use old protocol versions...

I'm not sure it is a big issue though since modern TLS libraries will disable
them for us.

> Next question: how can I disable it in my packaging (note: would rather not
> load another package, e.g. gnutls to accomplish this - but maybe "curl"
> forces me.

OpenSSL disables SSLv2 by default these days (mentioned in the changelog for
the 1.0.1s/1.0.2g releases of March 2016) so you're either using an older
OpenSSL or you enabled it explicitly.

> re: mk_ca_bundle - great thing, but can go unnoticed as make install does
> not pick it up, and when the src is in, e.g. ../src/curl-7.50.3 "somewhere"
> it does not show up in the "build" area either. (FYI)

Right, mk-ca-bundle is a separate tool for those with that need and desire.

> And, maybe - if --with-ca-bundle=... is specified, but not found - you could
> just run mk_ca_bundle to make it?!

That's an interesting idea. There's a potential bootstrap problem with that to
remember, as it depends on a curl(!) or perl/LWP installation for the
transfer.

Maybe we should start with outputting a larger warning text suggesting for the
user that the script exists and can be used for this purpose?

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:  https://curl.haxx.se/mail/etiquette.html