On Friday 24 October 2014 14:57:00 Ray Satiro wrote: > On 10/24/2014 7:44 AM, Daniel Stenberg wrote: > > On Fri, 24 Oct 2014, Kamil Dudka wrote: > >> Should I unimplement the fallback to SSL 3.0 in the NSS backend now, > >> or wait till Ray's patch appears upstream? > > > > I'm digging up Ray's patch just now and I've pushed it! > > Two more to look at, GSKit and PolarSSL. Patrick Monnerat already got to > GSKit this morning [1]. PolarSSL has SSLv3 support by default unless > it's changed at compile time. It is the minimum version: > > #define SSL_MIN_MAJOR_VERSION SSL_MAJOR_VERSION_3 > #define SSL_MIN_MINOR_VERSION SSL_MINOR_VERSION_0 > > According to the PolarSSL advisory that can be overridden at runtime > [2]. vtls/polarssl.c doesn't have logic for CURL_SSLVERSION_DEFAULT > therefore my understanding is PolarSSL's minimum version (SSLv3 I assume > in most cases) is the default. I changed it using the runtime method to > make the default TLS 1.0 at minimum [3]. > > Regarding the fallback in NSS do you mean the obsolete code that enables > a connection retry at the end of nss_fail_connect() in vtls/nss.c? That > looks like it can go.
I have just pushed a patch that drops it: https://github.com/bagder/curl/compare/b5ed5843a4...276741af4d Kamil > [1]: https://github.com/bagder/curl/commit/3ca5604 > [2]: > https://polarssl.org/tech-updates/security-advisories/polarssl-security-advi > sory-2014-03-poodle-attack-on-ssl-v3 [3]: > https://github.com/jay/curl/compare/poodlefix > > ------------------------------------------------------------------- > List admin: http://cool.haxx.se/list/listinfo/curl-library > Etiquette: http://curl.haxx.se/mail/etiquette.html ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
