On 9/16/2016 6:14 PM, Daniel Stenberg wrote:
On Fri, 16 Sep 2016, Michael Felt wrote:

So, this time I watched a bit more closely re: SSL - my comment is: shouldn't SSLv2 just be removed regardless if OpenSSL is (still) supporting it?

Yes it should. In fact SSLv3 should also probably be disabled by default, but then we also know that we have a fairly large amount of users running against legacy crap that might use old protocol versions...

I'm not sure it is a big issue though since modern TLS libraries will disable them for us.

If the SSL library is able to handle -2 or -3 *and* the user has specified that at runtime then I don't see the problem. It's not like either of those protocols is used by default.
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:  https://curl.haxx.se/mail/etiquette.html

Reply via email to