On 11/3/2014 3:07 AM, Daniel Stenberg wrote:
On Mon, 3 Nov 2014, Ray Satiro wrote:
I can't find that I got any feedback on this PolarSSL change and it
doesn't look as though it ever made it to the central repo. I know
the next curl release is a few days away. If there's a problem with
it or you want it as a patch let me know.
Can you please post the specific patch on the list here for review and
comments?
ok attached
From 42a0cb3d7076108290ed5dd7601a3d7b4c765d26 Mon Sep 17 00:00:00 2001
From: Jay Satiro <[email protected]>
Date: Fri, 24 Oct 2014 14:26:57 -0400
Subject: [PATCH] SSL: PolarSSL default min SSL version TLS 1.0
- Prior to this change no SSL minimum version was set by default at
runtime for PolarSSL. Therefore in most cases PolarSSL would probably
have defaulted to a minimum version of SSLv3 which is no longer secure.
---
lib/vtls/polarssl.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c
index 5332b92..a9ea1e5 100644
--- a/lib/vtls/polarssl.c
+++ b/lib/vtls/polarssl.c
@@ -287,6 +287,11 @@ polarssl_connect_step1(struct connectdata *conn,
}
switch(data->set.ssl.version) {
+ default:
+ case CURL_SSLVERSION_DEFAULT:
+ ssl_set_min_version(&connssl->ssl, SSL_MAJOR_VERSION_3,
+ SSL_MINOR_VERSION_1);
+ break;
case CURL_SSLVERSION_SSLv3:
ssl_set_min_version(&connssl->ssl, SSL_MAJOR_VERSION_3,
SSL_MINOR_VERSION_0);
--
1.9.4.msysgit.2
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
