cURL / Mailing Lists / curl-library / Single Mail


Re: weak cipher suites with OpenSSL, SecureTransport and... ?

From: Fabian Frank <>
Date: Thu, 9 Jan 2014 23:22:44 -0800

On Jan 9, 2014, at 2:34 PM, Daniel Stenberg <> wrote:
> Left to do is then to build curl with other TLS backends and try it against to see if there are more flaws in this style.

I tried axtls, unfortunately
$ ./src/curl ''
bi_terminate: there were 1 un-freed bigints
Abort trap: 6

The error “bi_terminate: …” happens inside axtls, when it wants to shut down its bigint implementation but did not free all bigints, yet. It looks like (quick glance with gdb) that axtls chokes on the certificate signature that v presents. This would make sense, because the cert is SHA-256 signed and according to axtls only has SHA-1 support.

On the bright side, when ignoring the cert’s signature, it seems that no export/null ciphers are being offered:
$ ./src/curl -k ''
{"given_cipher_suites":["TLS_RSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_RC4_128_SHA","TLS_RSA_WITH_RC4_128_MD5"],"ephemeral_keys_supported":false,"session_ticket_supported":false,"tls_compression_supported":false,"unknown_cipher_suite_supported":false,"beast_vuln":false,"able_to_detect_n_minus_one_splitting":false,"insecure_cipher_suites":{},"tls_version":"TLS 1.1","rating":"Improvable”}


List admin:
Received on 2014-01-10