curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: CURLUSESSL_TRY with failing TLS negotiation

From: Daniel Stenberg via curl-library <>
Date: Thu, 28 Dec 2023 17:37:07 +0100 (CET)

On Thu, 28 Dec 2023, Patrick Monnerat via curl-library wrote:

> IN IMAP/POP3/SMTP, a failing CURLUSESSL_TRY behaves as expected as long as
> TLS negotiation has not started, but terminates in error if the latter
> fails. I noticed it by reading the code and, since there is no support for
> STARTTLS in our test environment, I verified it manually with a personal
> IMAP server.
> I wonder if this is intentional or a bug. Any clue?

I don't think we considered this case, so just an oversight I believe.

Since the try option allows continuing without TLS, the liberal approach would
probably be to survive the TLS failure and continue without. But since we
*never* did that in the past, and the try option is a terribly bad option and
a generally bad security idea, it feels like a better approach is now to
instead document that this is how it works. We already discourage the use of
the try option.

  | Commercial curl support up to 24x7 is available!
  | Private help, bug fixes, support, ports, new features
Received on 2023-12-28