Feature Requests item #1767276, was opened at 2007-08-03 21:11
Message generated for change (Comment added) made by bagder
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=350976&aid=1767276&group_id=976

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: libcurl
Group: None
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Scott Cantor (scantor)
Assigned to: Daniel Stenberg (bagder)
Summary: Request option to disable SSLv2

Initial Comment:
The current version selection option for SSL lets the caller turn on a specific SSL/TLS version, but not disable one. Normally SSLv3 and TLSv1 would both be acceptable, but SSLv2 is never acceptable because of its holes, so it would be good to have the option to allow anything but that version.

(We've tested that disabling the SSLv2 ciphers doesn't actually disable use of SSLv2 itself.)

I checked the openssl s_client options, and it supports turning off a specific version, so apparently it can be done.

----------------------------------------------------------------------

>Comment By: Daniel Stenberg (bagder)
Date: 2007-08-03 23:37

Message:
Logged In: YES
user_id=1110
Originator: NO

Thanks, that lead me exactly to the right place.

It seems SSL_CTX_set_options() (that libcurl already uses) has bits to
disable specific protocols:

       SSL_OP_NO_SSLv2
           Do not use the SSLv2 protocol.

       SSL_OP_NO_SSLv3
           Do not use the SSLv3 protocol.

       SSL_OP_NO_TLSv1
           Do not use the TLSv1 protocol.

So yes, this should be fairly easy to support for OpenSSL at least...

----------------------------------------------------------------------

Comment By: Scott Cantor (scantor)
Date: 2007-08-03 23:32

Message:
Logged In: YES
user_id=96701
Originator: YES

I don't know how it does it internally (haven't looked yet), but the flag
is here:

$ openssl s_client help
...
-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol
...

I wouldn't have asked if I hadn't seen the option, I was expecting it had
the same limitation libcurl did but then I saw it listed, so at least
there's code we could copy from the sample tool.

It's probably not worth the hassle if it takes anything exotic that could
create regressions, but if there's a simple API it would be worth it.

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2007-08-03 23:25

Message:
Logged In: YES
user_id=1110
Originator: NO

How does the s_client support this? (I mean option/command etc)

I don't find any easy API for this in the OpenSSL docs, so possibly the
lib would have to do a version check after a connect has been performed and
then close down again if using the wrong version...

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=350976&aid=1767276&group_id=976
Received on 2007-08-03