Feature Requests item #1767276, was opened at 2007-08-03 21:11
Message generated for change (Comment added) made by bagder
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=350976&aid=1767276&group_id=976

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: libcurl
Group: None
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Scott Cantor (scantor)
Assigned to: Daniel Stenberg (bagder)
Summary: Request option to disable SSLv2

Initial Comment:
The current version selection option for SSL lets the caller turn on a specific SSL/TLS version, but not disable one. Normally SSLv3 and TLSv1 would both be acceptable, but SSLv2 is never acceptable because of its holes, so it would be good to have the option to allow anything but that version.

(We've tested that disabling the SSLv2 ciphers doesn't actually disable use of SSLv2 itself.)

I checked the openssl s_client options, and it supports turning off a specific version, so apparently it can be done.

----------------------------------------------------------------------

>Comment By: Daniel Stenberg (bagder)
Date: 2007-08-03 23:25

Message:
Logged In: YES
user_id=1110
Originator: NO

How does the s_client support this? (I mean option/command etc)

I don't find any easy API for this in the OpenSSL docs, so possibly the
lib would have to do a version check after a connect has been performed and
then close down again if using the wrong version...

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=350976&aid=1767276&group_id=976
Received on 2007-08-03