curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: curl library api secure mode

From: Josealf.rm via curl-library <>
Date: Sun, 22 Oct 2023 17:48:46 -0500


I understand that function call curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
Sets the minumun TLS protocol version to use; the server may requiere a newer TLS version and it will also connect. If in the furure TLS 1.2 is deprecated, you will need to update the function call in your code. I think there’s no need to change the API.


> On 22/10/2023, at 5:06 PM, Philipp Gühring via curl-library <> wrote:
> Hi,
> I am the maintainer of hddsuperclone, which uses the curl library.
> At the moment it is initializing the curl library like this:
> curl = curl_easy_init();
> But a security audit suggested that we should be using
> curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
> to avoid downgrade attacks.
> I personally dislike to hardcode certain TLS versions into the sourcecode, since it might get forgotten and might cause compatibility issues with TLSv1_4 or TLSv1_5 a few years down the road.
> Therefore I think it might be a better idea to offer an API where the applications could specify, whether they want to support only the most recent TLS version(s) that are deemed secure, or whether it should also support slighty older versions that are needed for compatibility.
> Or is there such a solution already available that I couldn't find?
> Best regards,
> Philipp Gühring
> --
> Unsubscribe:
> Etiquette:

Received on 2023-10-23