Accueil Explorer Aide
Connexion
OWEALs
/
curl
miroir de https://github.com/curl/curl.git
2
0
Fork 0
Fichiers Tickets 8 Wiki
Aborescence: efe4bab29b
Branches Tags
curl
/
docs
/
SSL-PROBLEMS

SSL-PROBLEMS 2.5 KB
Historique Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667 
  1.                                   _   _ ____  _
    2. 

  2.                               ___| | | |  _ \| |
    3. 

  3.                              / __| | | | |_) | |
    4. 

  4.                             | (__| |_| |  _ <| |___
    5. 

  5.                              \___|\___/|_| \_\_____|
    6. 

  6. 

  7. SSL problems
    8. 

  8. 

  9.   First, let's establish that we often refer to TLS and SSL interchangeably as
    10. 

  10.   SSL here. The current protocol is called TLS, it was called SSL a long time
    11. 

  11.   ago.
    12. 

  12. 

  13.   There are several known reasons why a connection that involves SSL might
    14. 

  14.   fail. This is a document that attempts to details the most common ones and
    15. 

  15.   how to mitigate them.
    16. 

  16. 

  17. CA certs
    18. 

  18. 

  19.   CA certs are used to digitally verify the server's certificate. You need a
    20. 

  20.   "ca bundle" for this. See lots of more details on this in the SSLCERTS
    21. 

  21.   document.
    22. 

  22. 

  23. CA bundle missing intermediate certificates
    24. 

  24. 

  25.   When using said CA bundle to verify a server cert, you will experience
    26. 

  26.   problems if your CA cert does not have the certificates for the
    27. 

  27.   intermediates in the whole trust chain.
    28. 

  28. 

  29. SSL version
    30. 

  30. 

  31.   Some broken servers fail to support the protocol negotiation properly that
    32. 

  32.   SSL servers are supposed to handle. This may cause the connection to fail
    33. 

  33.   completely. Sometimes you may need to explicitly select a SSL version to use
    34. 

  34.   when connecting to make the connection succeed.
    35. 

  35. 

  36.   An additional complication can be that modern SSL libraries sometimes are
    37. 

  37.   built with support for older SSL and TLS versions disabled!
    38. 

  38. 

  39. SSL ciphers
    40. 

  40. 

  41.   Clients give servers a list of ciphers to select from. If the list doesn't
    42. 

  42.   include any ciphers the server wants/can use, the connection handshake
    43. 

  43.   fails.
    44. 

  44. 

  45.   curl has recently disabled the user of a whole bunch of seriously insecure
    46. 

  46.   ciphers from its default set (slightly depending on SSL backend in use).
    47. 

  47. 

  48.   You may have to explicitly provide an alternative list of ciphers for curl
    49. 

  49.   to use to allow the server to use a WEAK cipher for you.
    50. 

  50. 

  51.   Note that these weak ciphers are identified as flawed. For example, this
    52. 

  52.   includes symmetric ciphers with less than 128 bit keys and RC4.
    53. 

  53. 

  54.   References:
    55. 

  55. 

  56.   http://tools.ietf.org/html/draft-popov-tls-prohibiting-rc4-01
    57. 

  57.   
    58. 

  58. Allow BEAST
    59. 

  59. 

  60.   BEAST is the name of a TLS 1.0 attack that surfaced 2011. When adding means
    61. 

  61.   to mitigate this attack, it turned out that some broken servers out there in
    62. 

  62.   the wild didn't work properly with the BEAST mitigation in place.
    63. 

  63. 

  64.   To make such broken servers work, the --ssl-allow-beast option was
    65. 

  65.   introduced. Exactly as it sounds, it re-introduces the BEAST vulnerability
    66. 

  66.   but on the other hand it allows curl to connect to that kind of strange
    67. 

  67.   servers.
    68.