On Thu, Oct 16, 2014 at 07:30:39AM +0000, Bruno Thomsen wrote: > From a security aspect SSLv3 should be dropped completely due to its many > weaknesses. > I think it would be a good move to follow in the footsteps of libressl. > Legacy systems are most likely also using an old version of curl.
That's probably the right response. Ideally, we could provide an option like --ssl-allow-beast to allow SSL3.0 if absolutely necessary, but if this were hidden behind a compile-time option instead, I wouldn't be too upset. It's irresponsible to allow SSL3 by default any more. >>> Dan ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
