On Jan 9, 2014, at 2:34 PM, Daniel Stenberg <[email protected]> wrote: > Left to do is then to build curl with other TLS backends and try it against > https://www.howsmyssl.com/a/check to see if there are more flaws in this > style.
I tried axtls, unfortunately $ ./src/curl 'https://www.howsmyssl.com/a/check' bi_terminate: there were 1 un-freed bigints Abort trap: 6 The error “bi_terminate: …” happens inside axtls, when it wants to shut down its bigint implementation but did not free all bigints, yet. It looks like (quick glance with gdb) that axtls chokes on the certificate signature that v www.howsmyssl.com presents. This would make sense, because the cert is SHA-256 signed and according to http://axtls.sourceforge.net/specifications.htm axtls only has SHA-1 support. On the bright side, when ignoring the cert’s signature, it seems that no export/null ciphers are being offered: $ ./src/curl -k 'https://www.howsmyssl.com/a/check' {"given_cipher_suites":["TLS_RSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_RC4_128_SHA","TLS_RSA_WITH_RC4_128_MD5"],"ephemeral_keys_supported":false,"session_ticket_supported":false,"tls_compression_supported":false,"unknown_cipher_suite_supported":false,"beast_vuln":false,"able_to_detect_n_minus_one_splitting":false,"insecure_cipher_suites":{},"tls_version":"TLS 1.1","rating":"Improvable”} Regards, Fabian ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
