Menu

#1434 disable SSLv3 per default

closed-invalid
Daniel Stenberg
None
5
2014-10-20
2014-10-16
Cálestyo
No

Hi.

In the light of the recently published attacks against SSLv3 I think it would be appropriate to disable at least SSLv3 from being ever used per default in any place of curl/libcurl.

Only if -3, --sslv3 is explicitly given, SSLv3 should be used.

The same apply analogously to SSLv2 (if not already the case)

Thanks,
Chris.

Discussion

  • Daniel Stenberg

    Daniel Stenberg - 2014-10-20
    • status: open --> closed-invalid
    • assigned_to: Daniel Stenberg
     

  • Daniel Stenberg

    Daniel Stenberg - 2014-10-20

    Sure, that might be a good idea but this is a bug tracker and SSLv3 is still not a bug...

    This is already discussed on the curl-library mailing list.

     

  • Cálestyo

    Cálestyo - 2014-10-20

    Hey.

    Well if you discuss this anyway already,...it's fine for me.

    But strictly speaking I would call this a bug, not supporting SSLv3, but using it per default.

    When people use https/ftp/smtps/etc. they do this because they want the security/authenticity/etc. - otherwise they could have simply used the non-TLS versions.
    The common opinion now seems to be, that SSLv3 is really at its end, so with it being used by default, curl no longer provides the security expected with https/etc.

    Therefore I think it's a bug.

    Just as if you'd have a software RAID which does not really do what it's expected (giving you resilience with your data).

    Cheers,
    Chris.

     
MongoDB Logo MongoDB