On 9/16/2016 6:14 PM, Daniel Stenberg wrote:
> On Fri, 16 Sep 2016, Michael Felt wrote:
>
>> So, this time I watched a bit more closely re: SSL - my comment is:
>> shouldn't SSLv2 just be removed regardless if OpenSSL is (still)
>> supporting it?
>
> Yes it should. In fact SSLv3 should also probably be disabled by
> default, but then we also know that we have a fairly large amount of
> users running against legacy crap that might use old protocol versions...
>
> I'm not sure it is a big issue though since modern TLS libraries will
> disable them for us.

If the SSL library is able to handle -2 or -3 *and* the user has
specified that at runtime then I don't see the problem. It's not like
either of those protocols is used by default.

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-09-17