diff options
Diffstat (limited to 'docs/SSL-PROBLEMS')
-rw-r--r-- | docs/SSL-PROBLEMS | 26 |
1 files changed, 23 insertions, 3 deletions
diff --git a/docs/SSL-PROBLEMS b/docs/SSL-PROBLEMS index 7ee4d14ee..45faa241c 100644 --- a/docs/SSL-PROBLEMS +++ b/docs/SSL-PROBLEMS @@ -26,7 +26,7 @@ CA bundle missing intermediate certificates problems if your CA cert does not have the certificates for the intermediates in the whole trust chain. -SSL version +Protocol version Some broken servers fail to support the protocol negotiation properly that SSL servers are supposed to handle. This may cause the connection to fail @@ -36,7 +36,9 @@ SSL version An additional complication can be that modern SSL libraries sometimes are built with support for older SSL and TLS versions disabled! -SSL ciphers + All versions of SSL are considered insecure and should be avoided. Use TLS. + +Ciphers Clients give servers a list of ciphers to select from. If the list doesn't include any ciphers the server wants/can use, the connection handshake @@ -51,9 +53,13 @@ SSL ciphers Note that these weak ciphers are identified as flawed. For example, this includes symmetric ciphers with less than 128 bit keys and RC4. + WinSSL in Windows XP is not able to connect to servers that no longer + support the legacy handshakes and algorithms used by those versions, so we + advice against building curl to use WinSSL on really old Windows versions. + References: - http://tools.ietf.org/html/draft-popov-tls-prohibiting-rc4-01 + https://tools.ietf.org/html/draft-popov-tls-prohibiting-rc4-01 Allow BEAST @@ -65,3 +71,17 @@ Allow BEAST introduced. Exactly as it sounds, it re-introduces the BEAST vulnerability but on the other hand it allows curl to connect to that kind of strange servers. + +Disabling certificate revocation checks + + Some SSL backends may do certificate revocation checks (CRL, OCSP, etc) + depending on the OS or build configuration. The --ssl-no-revoke option was + introduced in 7.44.0 to disable revocation checking but currently is only + supported for WinSSL (the native Windows SSL library), with an exception in + the case of Windows' Untrusted Publishers blacklist which it seems can't be + bypassed. This option may have broader support to accommodate other SSL + backends in the future. + + References: + + http://curl.haxx.se/docs/ssl-compared.html |