A naive glance at the code, and getting data from other users, it seems that curl is using whatever the TLS library gives it.

This is causing users with SecureTransport builds to get NULL cipher suites(!).

---
** [bugs:#1323] remove export cipher suites from preference list**
**Status:** open
**Labels:** SSL/TLS 
**Created:** Thu Jan 09, 2014 08:20 PM UTC by Jeff Hodges
**Last Updated:** Thu Jan 09, 2014 08:21 PM UTC
**Owner:** nobody
Curl, built against OpenSSL, currently includes export strength cipher suites in its TLS ClientHello. This is problematic because those cipher suites use only 40-bit keys making them easy to brute force. 128-bit keys are the current minimum recommended key size.
This was found by using the latest released curl (7.34.0) to query https://www.howsmyssl.com/a/check
---
Sent from sourceforge.net because curl-tracker@cool.haxx.se is subscribed to https://sourceforge.net/p/curl/bugs/
To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/curl/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.