On Jan 9, 2014, at 4:34 PM, Daniel Stenberg <[email protected]> wrote: > #1324 - curl built with SecureTransport includes support for NULL ciphersuites > in ClientHello > https://sourceforge.net/p/curl/bugs/1324/
I cannot reproduce this one: === % src/curl -v "https://www.howsmyssl.com/a/check"; * STATE: INIT => CONNECT handle 0x7ffb42004c08; line 1012 (connection #-5000) * Hostname was NOT found in DNS cache * Trying 54.245.96.51... * STATE: CONNECT => WAITCONNECT handle 0x7ffb42004c08; line 1059 (connection #0) * Connected to www.howsmyssl.com (54.245.96.51) port 443 (#0) * STATE: WAITCONNECT => PROTOCONNECT handle 0x7ffb42004c08; line 1172 (connection #0) * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_RC4_128_SHA * Server certificate: howsmyssl.com * Server certificate: GeoTrust SSL CA - G2 * Server certificate: GeoTrust Global CA * Server certificate: Equifax Secure Certificate Authority * STATE: PROTOCONNECT => DO handle 0x7ffb42004c08; line 1191 (connection #0) > GET /a/check HTTP/1.1 > User-Agent: curl/7.34.1-DEV > Host: www.howsmyssl.com > Accept: */* > * STATE: DO => DO_DONE handle 0x7ffb42004c08; line 1264 (connection #0) * STATE: DO_DONE => WAITPERFORM handle 0x7ffb42004c08; line 1390 (connection #0) * STATE: WAITPERFORM => PERFORM handle 0x7ffb42004c08; line 1403 (connection #0) * HTTP 1.1 or later with persistent connection, pipelining supported < HTTP/1.1 200 OK < Content-Length: 1836 < Connection: close < Content-Type: application/json < Date: Thu, 09 Jan 2014 23:28:09 GMT < Strict-Transport-Security: max-age=631138519; includeSubdomains < * STATE: PERFORM => DONE handle 0x7ffb42004c08; line 1573 (connection #0) * Closing connection 0 * The cache now contains 0 members {"given_cipher_suites":["TLS_EMPTY_RENEGOTIATION_INFO_SCSV","TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_ECDSA_WITH_RC4_128_SHA","TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_RSA_WITH_RC4_128_SHA","TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA","TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384","TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256","TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384","TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256","TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA","TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA","TLS_ECDH_ECDSA_WITH_RC4_128_SHA","TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA","TLS_ECDH_RSA_WITH_AES_256_CBC_SHA","TLS_ECDH_RSA_WITH_AES_128_CBC_SHA","TLS_ECDH_RSA_WITH_RC4_128_SHA","TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA","TLS_RSA_WITH_AES_256_CBC_SHA256","TLS_RSA_WITH_AES_128_CBC_SHA256","TLS_RSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_RC4_128_SHA","TLS_RSA_WITH_RC4_128_MD5","TLS_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_3DES_EDE_CBC_SHA","TLS_DHE_RSA_WITH_AES_128_CBC_SHA256","TLS_DHE_RSA_WITH_AES_256_CBC_SHA256","TLS_DHE_RSA_WITH_AES_128_CBC_SHA","TLS_DHE_RSA_WITH_AES_256_CBC_SHA","TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA","TLS_PSK_WITH_AES_256_CBC_SHA384","TLS_PSK_WITH_AES_128_CBC_SHA256","TLS_PSK_WITH_AES_256_CBC_SHA","TLS_PSK_WITH_AES_128_CBC_SHA","TLS_PSK_WITH_RC4_128_SHA","TLS_PSK_WITH_3DES_EDE_CBC_SHA"],"ephemeral_keys_supported":true,"session_ticket_supported":false,"tls_compression_supported":false,"unknown_cipher_suite_supported":false,"beast_vuln":false,"able_to_detect_n_minus_one_splitting":false,"insecure_cipher_suites":{},"tls_version":"TLS 1.2","rating":"Improvable”} === I don’t see any NULL cipher-suites in there anywhere. I’m pretty sure I fixed this in commit <https://github.com/bagder/curl/commit/6f78aaad6f262f1de074386dff3f41c95fa997bb>, which I had to make after iOS 7 was released because I was under NDA at the time (so it didn’t get into Mavericks). Oh, and the NULL_SHA256 one was fixed in a separate commit: <https://github.com/bagder/curl/commit/173160c0d068f1aba390fe6eb2e847af6ae48dca> I discovered that one when I was testing my work against <https://www.ssllabs.com/ssltest/viewMyClient.html>, which had just launched at the time. Nick Zitzmann <http://www.chronosnet.com/> ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
