cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH] openssl: make it possible to build without SSLv3

From: Ray Satiro <raysatiro_at_yahoo.com>
Date: Mon, 10 Nov 2014 03:13:21 -0500

On 11/9/2014 4:36 PM, Guenter wrote:
> Hi Ray,
> On 08.11.2014 20:43, Ray Satiro wrote:
>> I'm under the impression it's possible regardless. Following the changes
>> to disable SSLv3 by default at one point I had tested against OpenSSL
>> built with no-ssl3 and when I tried SSLv3 in curl I received an
>> unsupported protocol error message. Maybe I forgot to recompile libcurl.
> here's a probably related thread from the httpd view:
> http://mail-archives.apache.org/mod_mbox/httpd-dev/201410.mbox/%3C54501F91.2080104@aldan.algebra.com%3E
>

I just tried OpenSSL 1.0.1j no-ssl3 and if I pass -3 to curl I still get
a SSLv3 client hello and connection. I figured if you disable SSLv3
compile time it should be disabled. Makes sense to me but maybe I should
investigate that option. Still doesn't explain what I saw with
unsupported protocol, but to your point that issue is interesting. The
reporter says an SSLv2 hello is being sent out. I'll assume OpenSSL here
since RHEL5 curl uses that I think. OpenSSL doc [1] says:

"If any SSLv2 ciphersuites are included in the cipher list and no
extensions are required then SSLv2 compatible client hellos will be used
by clients and SSLv2 will be accepted by servers. This is *not*
recommended due to the insecurity of SSLv2 and the limited nature of the
SSLv2 client hello prohibiting the use of extensions."
and
"Applications which never want to support SSLv2 (even is the cipher
string is configured to use SSLv2 ciphersuites) can set SSL_OP_NO_SSLv2."

It doesn't state explicitly that if SSLv2 *protocol* is disabled by
SSL_OP_NO_SSLv2 that the SSLv2 compatible client hello will not be sent,
although one could infer that. libcurl sets SSL_OP_NO_SSLv2 by default
so I'm not sure why that hello. Maybe the curl tool is a legacy one and
isn't setting SSL_OP_NO_SSLv2? Regardless it seems to me the onus is on
the server to handle that hello.

[1]: https://www.openssl.org/docs/ssl/SSL_CTX_new.html#item_SSLv23_method

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-11-10

This message: [ Message body ]
Next message: Daniel Stenberg: "Re: [PATCH 0/8] cmake and test suite fixes"
Previous message: Daniel Stenberg: "Re: [PATCH 1/8] tests: fix memleak in server/resolve.c"
In reply to: Guenter: "Re: [PATCH] openssl: make it possible to build without SSLv3"
Next in thread: Alessandro Ghedini: "Re: [PATCH] openssl: make it possible to build without SSLv3"
Reply: Alessandro Ghedini: "Re: [PATCH] openssl: make it possible to build without SSLv3"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]