cURL
Haxx ad
libcurl

curl's project page on SourceForge.net

Sponsors:
Haxx

cURL > Mailing List > Monthly Index > Single Mail

curl-users Mailing List Archives

Re: SSLv2 still being used in 7.19.2?

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Wed, 11 Feb 2009 07:47:53 +0100 (CET)

On Tue, 10 Feb 2009, Frank BASKER wrote:

> I thought SSLv2 was disabled from 7.18.1 onwards
> The following trace shows SSLv2 being used for the initial handshake
> did I miss something?

It is disabled by default. What you're seeing is an artifact of what libcurl
does due to limitations in the OpenSSL API!

For 'default' connections to a server running some sort of SSL/TLS, libcurl
uses the SSLv23_method() function because it is documented to work with SSLv2,
SSLv3 and TLSv1 and no other existing *_method() that OpenSSL has mentions
this. Also, OpenSSL's docs says "This is the best choice when compatibility is
a concern.".

After that call has succeeded, we explicitly disable SSLv2 for the cases where
you haven't explicitly asked for it. It basically means that we use that
function call only to remain open for the server being SSLv3 or TLSv1.

This method of procedure is documented here:

         http://www.openssl.org/docs/ssl/SSL_CTX_new.html#

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2009-02-11

These mail archives are generated by hypermail.

donate! Page updated November 12, 2010.
web site info

File upload with ASP.NET