curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Add support for option CURLOPT_SSL_CIPHER_LIST for DarwinSSL

From: Michael Kolechkin via curl-library <curl-library_at_cool.haxx.se>
Date: Wed, 18 Nov 2020 12:08:59 -0800

Hi guys,
Our MacOS client application uses libcurl backed by Darwin-SSL (Secure
Transport) to send and receive some data. Now we need to work in FIPS 140-2
mode and I found that libCurl doesn't support limiting cipher suites for
Secure Transport case.
Source code vtls/sectransp.c just gets list of SSL/TLS ciphers by
calling SSLGetSupportedCiphers, filters out some weak ciphers and then sets
list of them (SSLSetEnabledCiphers) for negotiation with server. It
ignores the value of the CURLOPT_SSL_CIPHER_LIST option and caller has no
control on cipher suites hence we cannot specify only FIPS 140-2 ciphers to
be used, etc.

Does it make sense to add the CURLOPT_SSL_CIPHER_LIST option support in
sectransp.c code and limit client cipher suites to its value? I think it
would be nice to have Secure Transport feature parity with OpenSSL,
WolfSSL, NSS and other libraries. If someone knows more details why it was
not implemented before or some hidden problems, I very appreciate your help.

I am new to libCurl and Secure Transport, so if you know it won't work or
some other issues, it would be extremely helpful.

Thank you,
Michael


-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
Received on 2020-11-18