On Fri, 11 Jul 2025, Christian Schmitz wrote:
There may be plenty of old code around, that explicitly puts in
CURL_SSLVERSION_TLSv1_0 or CURL_SSLVERSION_TLSv1_1. From a time where we had
SSL v3 as default and we wanted to get better TLS 1.0 or 1.1.
Right, now we can't tell if they raise the minimum from SSL v3 or if they
lower the minimum from TLS 1.2 with this.
Not all TLS libraries support < 1.2 these days so it might not get what it
asks for.
I would suggest to allow it, output a warning in the debug log "TLS 1.0 no
longer available, using TLS 1.3 instead." and switch to TLS 1.3.
That's for when we completely remove the support, right?
I think we can start by upping the default and stick to that for a period
which might very well extend six months.
The option sets the minimum anyway, so as long as the maximum is >= 1.2 we can
still satisfy the user without having to say anything. And if the maximum is
set < 1.2 when we drop the support, then we better return error to help the
user understand what's going on.
--
/ daniel.haxx.se || https://rock-solid.curl.dev
--
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
