On 10/24/2014 7:44 AM, Daniel Stenberg wrote:
On Fri, 24 Oct 2014, Kamil Dudka wrote:
Should I unimplement the fallback to SSL 3.0 in the NSS backend now,
or wait till Ray's patch appears upstream?
I'm digging up Ray's patch just now and I've pushed it!
Two more to look at, GSKit and PolarSSL. Patrick Monnerat already got to
GSKit this morning [1]. PolarSSL has SSLv3 support by default unless
it's changed at compile time. It is the minimum version:
#define SSL_MIN_MAJOR_VERSION SSL_MAJOR_VERSION_3
#define SSL_MIN_MINOR_VERSION SSL_MINOR_VERSION_0
According to the PolarSSL advisory that can be overridden at runtime
[2]. vtls/polarssl.c doesn't have logic for CURL_SSLVERSION_DEFAULT
therefore my understanding is PolarSSL's minimum version (SSLv3 I assume
in most cases) is the default. I changed it using the runtime method to
make the default TLS 1.0 at minimum [3].
Regarding the fallback in NSS do you mean the obsolete code that enables
a connection retry at the end of nss_fail_connect() in vtls/nss.c? That
looks like it can go.
[1]: https://github.com/bagder/curl/commit/3ca5604
[2]:
https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-03-poodle-attack-on-ssl-v3
[3]: https://github.com/jay/curl/compare/poodlefix
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
