On 10/24/2014 2:57 PM, Ray Satiro wrote:
PolarSSL has SSLv3 support by default unless it's changed at compile
time. It is the minimum version:
#define SSL_MIN_MAJOR_VERSION SSL_MAJOR_VERSION_3
#define SSL_MIN_MINOR_VERSION SSL_MINOR_VERSION_0
According to the PolarSSL advisory that can be overridden at runtime
[2]. vtls/polarssl.c doesn't have logic for CURL_SSLVERSION_DEFAULT
therefore my understanding is PolarSSL's minimum version (SSLv3 I
assume in most cases) is the default. I changed it using the runtime
method to make the default TLS 1.0 at minimum [3].
I can't find that I got any feedback on this PolarSSL change and it
doesn't look as though it ever made it to the central repo. I know the
next curl release is a few days away. If there's a problem with it or
you want it as a patch let me know. It would be good if someone familiar
with PolarSSL could take a look and make sure the change is OK.
[2]:
https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-03-poodle-attack-on-ssl-v3
[3]: https://github.com/jay/curl/compare/poodlefix
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
