Curl, built against OpenSSL, currently includes export strength cipher suites in its TLS ClientHello. This is problematic because those cipher suites use only 40-bit keys making them easy to brute force. 128-bit keys are the current minimum recommended key size.
This was found by using the latest released curl (7.34.0) to query https://www.howsmyssl.com/a/check
I think something similar will happen when using nss, but I've not actually had the chance to confirm that.
A naive glance at the code, and getting data from other users, it seems that curl is using whatever the TLS library gives it.
This is causing users with SecureTransport builds to get NULL cipher suites(!).
Thanks for the report. Will get to work!
Using a cipher list like below at least removes the "Bad" grading from howsmyssl.com and changes it to "Improvable" (unclear what exactly that means). OpenSSL ciphers are documented here: http://www.openssl.org/docs/apps/ciphers.html
~~~~
curl --ciphers 'ALL!EXPORT!EXPORT40!EXPORT56!aNULL!LOW!RC4' https://www.howsmyssl.com/a/check
Last edit: Daniel Stenberg 2014-01-10
Yeah, that's just due to session tickets not being supported. Don't worry about it. It'll probably be removed Real Soon Now.
I'm thinking a suitable fix could be like this...
I also posted this patch to the curl-library list for wider review/feedback.
Thanks for your report. I've now pushed the change that changes the default list of ciphers as previously mentioned. Case closed!