cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Libxurl use only TLSv1_2

From: Indtiny s <indtiny_at_gmail.com>
Date: Tue, 30 Apr 2013 07:45:35 +0530

Hi,
Yes server supprorts TLSv1.2 and I have to authenticate the server using
the TLSv1.2 only .

What I heard from the webServer forum is that since the server looks only
for TLSv1.2(Server is configured like so for some requirement) and if
clients tries with V1.1, its fails .

If I change to curl_easy_setopt(curl,
CURLOPT_SSLVERSION,CURL_SSLVERSION_TLSv1);
then I get the SSL conection error .

and with _DEFAULT it makes Client hello and throws Internal error(80) .

I am not able to figure out the problem .
Here with I have attached my complete wireshark og

--Indra

On Tue, Apr 30, 2013 at 1:33 AM, Nick Zitzmann <nick_at_chronosnet.com> wrote:

>
> On Apr 29, 2013, at 1:15 PM, Indtiny s <indtiny_at_gmail.com> wrote:
>
> > I have compiled libcurl with openssl , When I tried for some TLS
> handshake .
> >
> > Curl is trying to send the both the version i.e TLSv1 and TLSv1.2 .
> >
> > How to make curl start handshake with only TLSv1.2 only ..?
>
> If I'm reading that screen shot correctly, it appears that OpenSSL asked
> the server for a TLS 1.2 session, but the server downgraded to 1.0. I'm not
> surprised; TLS 1.2 support is actually quite rare among servers, because as
> of now, only one Web browser (Safari, in iOS 5 and Mountain Lion) uses it,
> and there hasn't been a major security hole in TLS 1.0 yet that couldn't be
> worked around, so most servers don't support TLS 1.1 or 1.2 yet.
>
> If the server is accessible on the public Internet, then you can use
> Qualys' server security tester to verify whether or not the server supports
> TLS 1.2: <https://www.ssllabs.com/ssltest/index.html>
>
> If my suspicion is correct, then I wouldn't worry too much. TLS 1.2 is
> neat, but 1.0 is generally secure as long as compression is turned off
> (which libcurl turns off) and the library splits packets when using a CBC
> cipher (which I'm pretty sure OpenSSL does).
>
> > curl_easy_setopt(curl, CURLOPT_SSLVERSION,CURL_SSLVERSION_TLSv1_2);
> > but CURL_SSLVERSION_TLSv1_2 is not defined in the curl 7.28.1
>
> That's because, when libcurl is configured to use TLSv1, it will
> automatically use the highest version number supported by your TLS library,
> and downgrade to TLS 1.0 if the server doesn't support 1.1 or 1.2. There's
> no separate option here because, until a serious problem is found in 1.0,
> there doesn't need to be a separate option.
>
> Nick Zitzmann
> <http://www.chronosnet.com/>
>
>
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-library
> Etiquette: http://curl.haxx.se/mail/etiquette.html
>

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

Received on 2013-04-30