On Wed, 10 Sep 2014, Ben Sutcliffe wrote:
I can submit a patch if you guys are interested
Yes thanks, that'd be great! I'm sure there is or will be other interested people.
curl_schannel.c: - Explicitly set cipher algorithm to RC4. Whatever the default cipher was, it wasn't working unless I was careful to pad my messages to presumably the correct block size (?). I'm guessing RC4 works since it's a stream cipher instead of a block cipher...but I don't know much about crypto. Not sure how secure RC4 is anyway...so maybe there's a better alternative.
RC4 is insecure. To the point where we've stopped using it in general, and it is being avoided universally where security and encryption are involved. See http://tools.ietf.org/html/draft-popov-tls-prohibiting-rc4-02
The main problem with completely disabling RC4 all over tends to involve old Windows installations, see https://www.ietf.org/mail-archive/web/tls/current/msg11935.html
So, you need to consider the alternatives. RC4 is known to be insecure, but possibly less bad than what other algorithms you can choose from!
- Fix an apparent bug in hostname verification for wildcard certs. For *. example.com from the cert, it was comparing ".example.com" instead of " example.com" against the server's hostname
Oh, that's not just for the embedded version then is it? It sounds significant enough that it is strange that it hasn't already been reported...
- A few small mods to allow to libcurl to build for WinCE 6 (eg, use send()/recv() instead of write()/read()).
What? AFAIK, only minix uses write() and everything else uses send() already (and all internals do it with swrite() which is a macro that "hides" the real function being used). Am I wrong?
-- / daniel.haxx.se ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
