Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
curl library api secure mode
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Philipp Gühring via curl-library <curl-library_at_lists.haxx.se>
Date: Mon, 23 Oct 2023 00:04:53 +0200
Hi,
I am the maintainer of hddsuperclone, which uses the curl library.
At the moment it is initializing the curl library like this:
curl = curl_easy_init();
But a security audit suggested that we should be using
curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
to avoid downgrade attacks.
I personally dislike to hardcode certain TLS versions into the sourcecode, since it might get forgotten and might cause compatibility issues with TLSv1_4 or TLSv1_5 a few years down the road.
Therefore I think it might be a better idea to offer an API where the applications could specify, whether they want to support only the most recent TLS version(s) that are deemed secure, or whether it should also support slighty older versions that are needed for compatibility.
Or is there such a solution already available that I couldn't find?
Best regards,
Philipp Gühring
Date: Mon, 23 Oct 2023 00:04:53 +0200
Hi,
I am the maintainer of hddsuperclone, which uses the curl library.
At the moment it is initializing the curl library like this:
curl = curl_easy_init();
But a security audit suggested that we should be using
curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
to avoid downgrade attacks.
I personally dislike to hardcode certain TLS versions into the sourcecode, since it might get forgotten and might cause compatibility issues with TLSv1_4 or TLSv1_5 a few years down the road.
Therefore I think it might be a better idea to offer an API where the applications could specify, whether they want to support only the most recent TLS version(s) that are deemed secure, or whether it should also support slighty older versions that are needed for compatibility.
Or is there such a solution already available that I couldn't find?
Best regards,
Philipp Gühring
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2023-10-23