aboutsummaryrefslogtreecommitdiffstats
path: root/docs/SSL-PROBLEMS
diff options
context:
space:
mode:
Diffstat (limited to 'docs/SSL-PROBLEMS')
-rw-r--r--docs/SSL-PROBLEMS26
1 files changed, 23 insertions, 3 deletions
diff --git a/docs/SSL-PROBLEMS b/docs/SSL-PROBLEMS
index 36502672..e6398710 100644
--- a/docs/SSL-PROBLEMS
+++ b/docs/SSL-PROBLEMS
@@ -26,7 +26,7 @@ CA bundle missing intermediate certificates
problems if your CA cert does not have the certificates for the
intermediates in the whole trust chain.
-SSL version
+Protocol version
Some broken servers fail to support the protocol negotiation properly that
SSL servers are supposed to handle. This may cause the connection to fail
@@ -36,7 +36,9 @@ SSL version
An additional complication can be that modern SSL libraries sometimes are
built with support for older SSL and TLS versions disabled!
-SSL ciphers
+ All versions of SSL are considered insecure and should be avoided. Use TLS.
+
+Ciphers
Clients give servers a list of ciphers to select from. If the list doesn't
include any ciphers the server wants/can use, the connection handshake
@@ -51,10 +53,14 @@ SSL ciphers
Note that these weak ciphers are identified as flawed. For example, this
includes symmetric ciphers with less than 128 bit keys and RC4.
+ WinSSL in Windows XP is not able to connect to servers that no longer
+ support the legacy handshakes and algorithms used by those versions, so we
+ advice against building curl to use WinSSL on really old Windows versions.
+
References:
https://tools.ietf.org/html/draft-popov-tls-prohibiting-rc4-01
-
+
Allow BEAST
BEAST is the name of a TLS 1.0 attack that surfaced 2011. When adding means
@@ -65,3 +71,17 @@ Allow BEAST
introduced. Exactly as it sounds, it re-introduces the BEAST vulnerability
but on the other hand it allows curl to connect to that kind of strange
servers.
+
+Disabling certificate revocation checks
+
+ Some SSL backends may do certificate revocation checks (CRL, OCSP, etc)
+ depending on the OS or build configuration. The --ssl-no-revoke option was
+ introduced in 7.44.0 to disable revocation checking but currently is only
+ supported for WinSSL (the native Windows SSL library), with an exception in
+ the case of Windows' Untrusted Publishers blacklist which it seems can't be
+ bypassed. This option may have broader support to accommodate other SSL
+ backends in the future.
+
+ References:
+
+ https://curl.haxx.se/docs/ssl-compared.html
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-27 00:12:54 +0000