Annotation of embedaddon/curl/docs/SSL-PROBLEMS.md, revision 1.1
1.1 ! misho 1: _ _ ____ _
! 2: ___| | | | _ \| |
! 3: / __| | | | |_) | |
! 4: | (__| |_| | _ <| |___
! 5: \___|\___/|_| \_\_____|
! 6:
! 7: # SSL problems
! 8:
! 9: First, let's establish that we often refer to TLS and SSL interchangeably as
! 10: SSL here. The current protocol is called TLS, it was called SSL a long time
! 11: ago.
! 12:
! 13: There are several known reasons why a connection that involves SSL might
! 14: fail. This is a document that attempts to details the most common ones and
! 15: how to mitigate them.
! 16:
! 17: ## CA certs
! 18:
! 19: CA certs are used to digitally verify the server's certificate. You need a
! 20: "ca bundle" for this. See lots of more details on this in the SSLCERTS
! 21: document.
! 22:
! 23: ## CA bundle missing intermediate certificates
! 24:
! 25: When using said CA bundle to verify a server cert, you will experience
! 26: problems if your CA cert does not have the certificates for the
! 27: intermediates in the whole trust chain.
! 28:
! 29: ## Protocol version
! 30:
! 31: Some broken servers fail to support the protocol negotiation properly that
! 32: SSL servers are supposed to handle. This may cause the connection to fail
! 33: completely. Sometimes you may need to explicitly select a SSL version to use
! 34: when connecting to make the connection succeed.
! 35:
! 36: An additional complication can be that modern SSL libraries sometimes are
! 37: built with support for older SSL and TLS versions disabled!
! 38:
! 39: All versions of SSL are considered insecure and should be avoided. Use TLS.
! 40:
! 41: ## Ciphers
! 42:
! 43: Clients give servers a list of ciphers to select from. If the list doesn't
! 44: include any ciphers the server wants/can use, the connection handshake
! 45: fails.
! 46:
! 47: curl has recently disabled the user of a whole bunch of seriously insecure
! 48: ciphers from its default set (slightly depending on SSL backend in use).
! 49:
! 50: You may have to explicitly provide an alternative list of ciphers for curl
! 51: to use to allow the server to use a WEAK cipher for you.
! 52:
! 53: Note that these weak ciphers are identified as flawed. For example, this
! 54: includes symmetric ciphers with less than 128 bit keys and RC4.
! 55:
! 56: Schannel in Windows XP is not able to connect to servers that no longer
! 57: support the legacy handshakes and algorithms used by those versions, so we
! 58: advice against building curl to use Schannel on really old Windows versions.
! 59:
! 60: References:
! 61:
! 62: https://tools.ietf.org/html/draft-popov-tls-prohibiting-rc4-01
! 63:
! 64: ## Allow BEAST
! 65:
! 66: BEAST is the name of a TLS 1.0 attack that surfaced 2011. When adding means
! 67: to mitigate this attack, it turned out that some broken servers out there in
! 68: the wild didn't work properly with the BEAST mitigation in place.
! 69:
! 70: To make such broken servers work, the --ssl-allow-beast option was
! 71: introduced. Exactly as it sounds, it re-introduces the BEAST vulnerability
! 72: but on the other hand it allows curl to connect to that kind of strange
! 73: servers.
! 74:
! 75: ## Disabling certificate revocation checks
! 76:
! 77: Some SSL backends may do certificate revocation checks (CRL, OCSP, etc)
! 78: depending on the OS or build configuration. The --ssl-no-revoke option was
! 79: introduced in 7.44.0 to disable revocation checking but currently is only
! 80: supported for Schannel (the native Windows SSL library), with an exception
! 81: in the case of Windows' Untrusted Publishers blacklist which it seems can't
! 82: be bypassed. This option may have broader support to accommodate other SSL
! 83: backends in the future.
! 84:
! 85: References:
! 86:
! 87: https://curl.haxx.se/docs/ssl-compared.html
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to SSL-PROBLEMS.md CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / curl / docs