Phillip, I understand that function call curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2); Sets the minumun TLS protocol version to use; the server may requiere a newer TLS version and it will also connect. If in the furure TLS 1.2 is deprecated, you will need to update the function call in your code. I think there’s no need to change the API.
Regards, Jose > On 22/10/2023, at 5:06 PM, Philipp Gühring via curl-library > <curl-library@lists.haxx.se> wrote: > > Hi, > > I am the maintainer of hddsuperclone, which uses the curl library. > At the moment it is initializing the curl library like this: > curl = curl_easy_init(); > But a security audit suggested that we should be using > curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2); > to avoid downgrade attacks. > I personally dislike to hardcode certain TLS versions into the sourcecode, > since it might get forgotten and might cause compatibility issues with > TLSv1_4 or TLSv1_5 a few years down the road. > Therefore I think it might be a better idea to offer an API where the > applications could specify, whether they want to support only the most recent > TLS version(s) that are deemed secure, or whether it should also support > slighty older versions that are needed for compatibility. > > Or is there such a solution already available that I couldn't find? > > Best regards, > Philipp Gühring > > -- > Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library > Etiquette: https://curl.se/mail/etiquette.html -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
