Hey.

Well if you discuss this anyway already,...it's fine for me.

But strictly speaking I would call this a bug, not supporting SSLv3, but using it per default.

When people use https/ftp/smtps/etc. they do this because they want the security/authenticity/etc. - otherwise they could have simply used the non-TLS versions.
The common opinion now seems to be, that SSLv3 is really at its end, so with it being used by default, curl no longer provides the security expected with https/etc.

Therefore I think it's a bug.

Just as if you'd have a software RAID which does not really do what it's expected (giving you resilience with your data).

Cheers,
Chris.

---
** [bugs:#1434] disable SSLv3 per default**
**Status:** closed-invalid
**Created:** Thu Oct 16, 2014 11:54 AM UTC by Cálestyo
**Last Updated:** Mon Oct 20, 2014 01:55 PM UTC
**Owner:** Daniel Stenberg
Hi.

In the light of the recently published attacks against SSLv3 I think it would be appropriate to disable at least SSLv3 from being ever used per default in any place of curl/libcurl.

Only if -3, --sslv3 is explicitly given, SSLv3 should be used.

The same apply analogously to SSLv2 (if not already the case)

Thanks,
Chris.
---
Sent from sourceforge.net because curl-tracker@cool.haxx.se is subscribed to https://sourceforge.net/p/curl/bugs/
To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/curl/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.