cURL / Mailing Lists / curl-library / Single Mail


Re: weak cipher suites with OpenSSL, SecureTransport and... ?

From: Marc Hoersken <>
Date: Sat, 22 Feb 2014 17:03:56 +0100

Am 22.02.2014 16:04, schrieb Marc Hoersken:
> After pushing the change on the 31th of January, I did now notice that
> there seems to be a problem with stunnel and Schannel while using
> TLSv1.2. Disabling it and only allowing SSLv3, TLSv1.0 and TLSv1.1 on
> either site (stunnel config or Internet Explorer options) avoids the issue.
> ...
> So there seems to be an incompatibility between the stunnel and Schannel
> implementations of TLSv1.2.

I found the reason for this incompatibility to be the MD5 hash algorithm
used for the signature of the self-signed test certificate.
Schannel's implementation of TLSv1.2 does not accept certificates with
signatures which are based upon the MD5 hash algorithm. [1]

In order to fix the issue within the testsuite, I regenerated the
certificate using a SHA1 hash and pushed it to the repository. [2]
I also added a note regarding the impact of the previous changes to the
defaults of WinSSL to the release notes. [3]

List admin:
Received on 2014-02-22