#2 Support for TLSv1.2

[Jon Wolfers]

Hi Mark,

Version I'm using: rexxcurl 2.0 25 Apr 2012 libcurl/7.25.0 OpenSSL/0.9.8u zlib/1.2.6 libidn/1.18 libssh2/1.4.0 librtmp/2.3

I hope this is a feature request and not a bug. I need RexxCurl to use TLSv1.2. I beleive that I should be able to force this with

call curlSetopt curl, 'SSLVERSION', 6

I attach a test program below (ooRexx with the JSON.CLS from https://sourceforge.net/p/oorexx/code-0/HEAD/tree/sandbox/bwc/json/)

The test script goes to "https://www.howsmyssl.com/a/check" and returns the report below

It reports the version of TLS used as 1.0 in spite of my use of call curlSetopt curl, 'SSLVERSION', 6

Here is what I see back from howsmyssl:
able_to_detect_n_minus_one_splitting: 1
session_ticket_supported: 0
unknown_cipher_suite_supported: 0
tls_version: TLS 1.0
given_cipher_suites: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_IDEA_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_DHE_RSA_WITH_DES_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
TLS_RSA_EXPORT_WITH_RC4_40_MD5
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
ephemeral_keys_supported: 1
beast_vuln: 0
rating: Bad
insecure_cipher_suites
TLS_RSA_WITH_RC4_128_SHA: uses RC4 which has insecure biases in its output
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5: uses keys smaller than 128 bits in its encryption
TLS_RSA_WITH_3DES_EDE_CBC_SHA: uses 3DES which is vulnerable to the Sweet32 attack but was not configured as a fallback in the ciphersuite order
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA: uses keys smaller than 128 bits in its encryption
TLS_DHE_DSS_WITH_DES_CBC_SHA: uses keys smaller than 128 bits in its encryption
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA: uses 3DES which is vulnerable to the Sweet32 attack but was not configured as a fallback in the ciphersuite order
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA: uses keys smaller than 128 bits in its encryption
TLS_DHE_RSA_WITH_DES_CBC_SHA: uses keys smaller than 128 bits in its encryption
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: uses 3DES which is vulnerable to the Sweet32 attack but was not configured as a fallback in the ciphersuite order
TLS_RSA_EXPORT_WITH_RC4_40_MD5: uses keys smaller than 128 bits in its encryption
uses RC4 which has insecure biases in its output
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA: uses keys smaller than 128 bits in its encryption
TLS_RSA_WITH_DES_CBC_SHA: uses keys smaller than 128 bits in its encryption
TLS_RSA_WITH_RC4_128_MD5: uses RC4 which has insecure biases in its output
tls_compression_supported: 0

Thanks, Jon

[Mark Hessling]

Hi Jon,
Yes a feature request. The libcurl dll supplied with Rexx/CURL is quite old and does not support later versions of TLS. Have built a new version of Rexx/CURL and run against "howsmyssl" and it gives TLS 1.3. Hope that will work for you. Need to update some documentation and then upload to SF. I'll provide a site to download a test version of RexxCURL for ooRexx on Windows to install. 32bit or 64bit?
Cheers, Mark

[Mark Hessling]

Next version; 2.1.0 will be built against curl 7.64.0 which defaults to TLS 1.3