On 11/10/2014 7:17 AM, Alessandro Ghedini wrote:
> On lun, nov 10, 2014 at 03:13:21 -0500, Ray Satiro wrote:
>
>> I just tried OpenSSL 1.0.1j no-ssl3 and if I pass -3 to curl I still get a
>> SSLv3 client hello and connection.
> Yeah. The thing about no-ssl3 is that AFAICT, it only disables SSLv3 when
> SSLv23_client_method() is used, but the SSLv3_* functions still work (which is
> IMO wrong).

Yes, looks like they aren't disabled with no-ssl3. I found a comment in
one of their bugs that says the same [1]. Prior versions were actually
more relaxed [2]. Now I wonder if the patch you submitted is a good idea
because although I agree that defining OPENSSL_NO_SSL3 when building
OpenSSL should disable SSLv3 (protocol not ciphers) it doesn't.. so what
if someone who knows that behavior builds OpenSSL like that and expects
curl to still have SSLv3 capability when --sslv3? Is that unreasonable?

>> Still doesn't explain what I saw with unsupported protocol
> Not sure if this is the same situation as yours, but e.g. https://example.com
> doesn't support SSLv3, so when I tried "curl -3 https://example.com" it failed
> with the error "sslv3 alert handshake failure". It took me a while to realize
> that the error came from the server and not curl... :/

Ah. Probably.

[1]: http://rt.openssl.org/Ticket/Display.html?id=3585#txn-49313
[2]: https://www.openssl.org/news/vulnerabilities.html#2014-3568

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-11-10