Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: curl with openssl not honoring MaxProtocol in openssl conf
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-users <curl-users_at_lists.haxx.se>
Date: Wed, 4 Jan 2023 23:47:58 +0100 (CET)
On Tue, 3 Jan 2023, Andreas Hasenack via curl-users wrote:
> It sounds like these are just initial defaults that are applied when nothing
> else says otherwise. For example, if I used something like --tlsv1.3 or
> --tls-max in curl, I would expect those command-line options to override the
> openssl library defaults, but in their absence, whatever is the default in
> openssl would take place (or, whatever is the default in curl, that could
> also override openssl defaults).
It seems like a reasonable view, even if I suppose this is not the most common
use case. Presumably the glue code in libcurl would need to be adapted to make
it work like this.
> In the case of curl, it seems to work fine for other parameters (well,
> one I tested). For example, I can use "MinProtocol = TLSv1.3", and
> when I try to use curl to connect to a TLSv1.2-only server, it
> correctly fails:
It's just random. I suspect we have never properly considered the config file
and that it could set a default like this, whatever works or doesn't work now
is totally just because it happened and this is how curl's current use of the
APIs end up working.
The behavior changed at some point around five years ago and you are the first
person to report it...
Date: Wed, 4 Jan 2023 23:47:58 +0100 (CET)
On Tue, 3 Jan 2023, Andreas Hasenack via curl-users wrote:
> It sounds like these are just initial defaults that are applied when nothing
> else says otherwise. For example, if I used something like --tlsv1.3 or
> --tls-max in curl, I would expect those command-line options to override the
> openssl library defaults, but in their absence, whatever is the default in
> openssl would take place (or, whatever is the default in curl, that could
> also override openssl defaults).
It seems like a reasonable view, even if I suppose this is not the most common
use case. Presumably the glue code in libcurl would need to be adapted to make
it work like this.
> In the case of curl, it seems to work fine for other parameters (well,
> one I tested). For example, I can use "MinProtocol = TLSv1.3", and
> when I try to use curl to connect to a TLSv1.2-only server, it
> correctly fails:
It's just random. I suspect we have never properly considered the config file
and that it could set a default like this, whatever works or doesn't work now
is totally just because it happened and this is how curl's current use of the
APIs end up working.
The behavior changed at some point around five years ago and you are the first
person to report it...
-- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html -- Unsubscribe: https://lists.haxx.se/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2023-01-04