Menu
▾
▴
#2742 Allow wbemcli to use TLS
pending
wbemcli
5
2018-07-20
2014-12-09
No
In order to protect us from the POODLE vulnerability, we disable SSLv3 support in the CURL library we use. We only want to allow the TLS protocol to be used.
wbemcli can not connect to a sfcbd if SSLv3 is disabled. It's because of the following line in CimCurl.cpp:
/ Force using SSL V3 /
rv = curl_easy_setopt(mHandle, CURLOPT_SSLVERSION, 3);
When I delete this line, wbemcli works (It can connect to a TLS enabled, SSLv3 disabled sfcbd); otherwise not; "SSL connect error"
The suggestion is to remove this line.
It is true, this is some legacy coding artifact, it should no longer be hard coded to SSLv3, we should let it be CURL_SSLVERSION_DEFAULT..
I wrote a patch to make it a configurable option, which may be useful for testing if not some practical application. It uses the environment variable WBEMCLI_CURL_SSLVERSION, which can be set to: SSLv2, SSLv3, TLSv1, TLSv1.0, TLSv1.1 or TLSv1.2, and this sets the curl variable accordingly.
Thank you.
Is there an estimate when this change will make it into a next release?
I just did a release of wbemcli so I probably won't do another for at least several months. In the meantime you'll have to use the preview version or pick up this patch individually, Hopefully this does not cause too much inconvenience.
Committed to CVS
It would be nice to have this option documented in wbemcli man page. Proposed description attached.
And additionally... I think that it would be better to check return value from curl_easy_setopt() to find out if the ssl option is available in particular curl library version. I see at least two reasons for it:
Proposed changes attached.
Now that it's four years later and SSLv3 is all but dead, it's probably time to do a new release of wbemcli for no reason other than to support modern SSL.