cURL

curl's project page on SourceForge.net

Sponsors:
Haxx

cURL > Mailing List > Monthly Index > Single Mail

curl-tracker Archives

[curl:bugs] #1324 curl built with SecureTransport includes support for NULL ciphersuites in ClientHello

From: Daniel Stenberg <bagder_at_users.sf.net>
Date: Fri, 10 Jan 2014 22:56:53 +0000

- **status**: pending --> closed-fixed

---
** [bugs:#1324] curl built with SecureTransport includes support for NULL ciphersuites in ClientHello**
**Status:** closed-fixed
**Labels:** SSL/TLS 
**Created:** Thu Jan 09, 2014 10:26 PM UTC by Daniel Stenberg
**Last Updated:** Fri Jan 10, 2014 07:20 AM UTC
**Owner:** Daniel Stenberg
(Copied from http://openradar.appspot.com/radar?id=4788972823773184 with permission)
The version of curl, and presumably libcurl, bundled with mavericks includes support for insecure ciphersuites in the ClientHello by default.  These ciphersuites provide no confidentiality of the communications used.
Ideally the client will only support ciphersuites which provide confidentiality.
Steps to Reproduce:
1. using howsmyssl.com, get a list of the ciphersuites provided in the ClientHello
> curl https://www.howsmyssl.com/a/check
2. Check the resulting json for given_cipher_suites and insecure_cipher_suites
Expected Results:
insecure_cipher_suites should be empty, and the given_cipher_suites list should only contain ciphersuites that provide confidentiality and integrity protection.
Actual Results:
the cipher suites actually include:
        "TLS_PSK_WITH_NULL_SHA384",
        "TLS_PSK_WITH_NULL_SHA256",
        "TLS_PSK_WITH_NULL_SHA",
        "TLS_RSA_WITH_NULL_SHA256"
The NULL ciphersuite shouldn't be included by default.
Version:
OSX 10.9.1
---
Sent from sourceforge.net because curl-tracker@cool.haxx.se is subscribed to https://sourceforge.net/p/curl/bugs/
To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/curl/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.
Received on 2014-01-10

These mail archives are generated by hypermail.

donate! Page updated December 29, 2013.
web site info

File upload with ASP.NET