curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

curl library api secure mode

From: Philipp Gühring via curl-library <>
Date: Mon, 23 Oct 2023 00:04:53 +0200


I am the maintainer of hddsuperclone, which uses the curl library.
At the moment it is initializing the curl library like this:
curl = curl_easy_init();
But a security audit suggested that we should be using
curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
to avoid downgrade attacks.
I personally dislike to hardcode certain TLS versions into the sourcecode, since it might get forgotten and might cause compatibility issues with TLSv1_4 or TLSv1_5 a few years down the road.
Therefore I think it might be a better idea to offer an API where the applications could specify, whether they want to support only the most recent TLS version(s) that are deemed secure, or whether it should also support slighty older versions that are needed for compatibility.

Or is there such a solution already available that I couldn't find?

Best regards,
Philipp Gühring

Received on 2023-10-23