Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: CURLUSESSL_TRY with failing TLS negotiation
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Thu, 28 Dec 2023 17:37:07 +0100 (CET)
On Thu, 28 Dec 2023, Patrick Monnerat via curl-library wrote:
> IN IMAP/POP3/SMTP, a failing CURLUSESSL_TRY behaves as expected as long as
> TLS negotiation has not started, but terminates in error if the latter
> fails. I noticed it by reading the code and, since there is no support for
> STARTTLS in our test environment, I verified it manually with a personal
> IMAP server.
>
> I wonder if this is intentional or a bug. Any clue?
I don't think we considered this case, so just an oversight I believe.
Since the try option allows continuing without TLS, the liberal approach would
probably be to survive the TLS failure and continue without. But since we
*never* did that in the past, and the try option is a terribly bad option and
a generally bad security idea, it feels like a better approach is now to
instead document that this is how it works. We already discourage the use of
the try option.
Date: Thu, 28 Dec 2023 17:37:07 +0100 (CET)
On Thu, 28 Dec 2023, Patrick Monnerat via curl-library wrote:
> IN IMAP/POP3/SMTP, a failing CURLUSESSL_TRY behaves as expected as long as
> TLS negotiation has not started, but terminates in error if the latter
> fails. I noticed it by reading the code and, since there is no support for
> STARTTLS in our test environment, I verified it manually with a personal
> IMAP server.
>
> I wonder if this is intentional or a bug. Any clue?
I don't think we considered this case, so just an oversight I believe.
Since the try option allows continuing without TLS, the liberal approach would
probably be to survive the TLS failure and continue without. But since we
*never* did that in the past, and the try option is a terribly bad option and
a generally bad security idea, it feels like a better approach is now to
instead document that this is how it works. We already discourage the use of
the try option.
-- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2023-12-28