On 11/4/2014 4:51 PM, Todd A Ouska wrote:
On Nov 4, 2014, at 10:58 AM, Ray Satiro <[email protected]> wrote:
On 11/4/2014 5:42 AM, Daniel Stenberg wrote:
Thanks a lot, merged and pushed just now!
I took a look and AFAICT all changes to disable SSLv3 by default in all SSL
backends are now in the central repo. One nagging thing though from my original
post, I still don't understand why CyaSSL cannot be configured to use TLS
1.0-1.2 by default.
The current github version of CyaSSL and the upcoming release of CyaSSL 3.3 on
or about November 10th allows the user to set a minimum version during version
downgrade on a single connection attempt:
CyaSSL_SetMinVersion(ssl, CYASSL_TLSV1_1); for example. Previously users
would simply end the connection if the resulting version was unsatisfactory,
which could be done as early as the certificate handshake message with a
callback.
Thanks Todd. I have reviewed your commit to the CyaSSL repo that
implemented that change [1]. Based on that I have a commit I believe
will bring cyassl.c up to date [2]. If you wouldn't mind taking a look
before I put in a request to submit it. Notice I try setting the minimum
version to TLS 1.0 and if that fails then TLS 1.2. Instead of doing that
each time do you know of a better way at compile time or runtime to
handle the NO_OLD_TLS case?
[1]: https://github.com/cyassl/cyassl/commit/322f79f
[2]: https://github.com/jay/curl/commit/95fc8d5
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
