On Fri, 16 Sep 2016, Michael Felt wrote:

So, this time I watched a bit more closely re: SSL - my comment is: shouldn't SSLv2 just be removed regardless if OpenSSL is (still) supporting it?


Yes it should. In fact SSLv3 should also probably be disabled by default, but then we also know that we have a fairly large amount of users running against legacy crap that might use old protocol versions...

I'm not sure it is a big issue though since modern TLS libraries will disable them for us.

Next question: how can I disable it in my packaging (note: would rather not load another package, e.g. gnutls to accomplish this - but maybe "curl" forces me.

OpenSSL disables SSLv2 by default these days (mentioned in the changelog for the 1.0.1s/1.0.2g releases of March 2016) so you're either using an older OpenSSL or you enabled it explicitly.

re: mk_ca_bundle - great thing, but can go unnoticed as make install does not pick it up, and when the src is in, e.g. ../src/curl-7.50.3 "somewhere" it does not show up in the "build" area either. (FYI)

Right, mk-ca-bundle is a separate tool for those with that need and desire.

And, maybe - if --with-ca-bundle=... is specified, but not found - you could just run mk_ca_bundle to make it?!

That's an interesting idea. There's a potential bootstrap problem with that to remember, as it depends on a curl(!) or perl/LWP installation for the transfer.

Maybe we should start with outputting a larger warning text suggesting for the user that the script exists and can be used for this purpose?

--

 / daniel.haxx.se
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:  https://curl.haxx.se/mail/etiquette.html

Reply via email to