cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: SSLv2 still being used in 7.19.2?

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Wed, 11 Feb 2009 07:47:53 +0100 (CET)

On Tue, 10 Feb 2009, Frank BASKER wrote:

> I thought SSLv2 was disabled from 7.18.1 onwards
> The following trace shows SSLv2 being used for the initial handshake
> did I miss something?

It is disabled by default. What you're seeing is an artifact of what libcurl
does due to limitations in the OpenSSL API!

For 'default' connections to a server running some sort of SSL/TLS, libcurl
uses the SSLv23_method() function because it is documented to work with SSLv2,
SSLv3 and TLSv1 and no other existing *_method() that OpenSSL has mentions
this. Also, OpenSSL's docs says "This is the best choice when compatibility is
a concern.".

After that call has succeeded, we explicitly disable SSLv2 for the cases where
you haven't explicitly asked for it. It basically means that we use that
function call only to remain open for the server being SSLv3 or TLSv1.

This method of procedure is documented here:

http://www.openssl.org/docs/ssl/SSL_CTX_new.html#

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Received on 2009-02-11

This message: [ Message body ]
Next message: Benjamin Endr� Larsen: "Install problem"
Previous message: Daniel Stenberg: "RE: get error_state"
In reply to: Frank BASKER: "SSLv2 still being used in 7.19.2?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]