Explicitly set a cipher suite list that doesn't include EXPORT ciphers #71

Closed
wants to merge 1 commit into
from

Projects

None yet

4 participants

@ebroder
Member
ebroder commented Jan 25, 2014

@ab, would appreciate if you could take a look.

@ab
ab commented Mar 26, 2014

Looks plausible, but it will break anyone using curl compiled against NSS (i.e. Fedora).

@bkrausz
Member
bkrausz commented Jul 11, 2014

@ebroder - is this still something we want? Is it going to cause issues with some users?

@ab
ab commented Jul 11, 2014

As mentioned before, this will break anyone using curl compiled against NSS rather than OpenSSL, so we can't use as is.

@bkrausz
Member
bkrausz commented Jul 11, 2014

Is there a fix? I know nothing about cypher lists, and even less about NSS.

@ab
ab commented Jul 11, 2014

I don't know much about php-curl except that it can be compiled against several different SSL libraries, each of which have incompatible ways to specify things like cipher suites. There may be a way to detect what library it's linked against, in which case you could pass the appropriate config for each of NSS, OpenSSL, (maybe even SecureTransport, not sure if php-curl on OS X uses it these days). I'd have to research the appropriate syntax, since I only know a tiny bit about setting cipher suites for NSS.

Honestly I'm not sure this is worth spending all that much time on since we control the cipher list on the server side, and we're not talking to arbitrary servers.

@bkrausz
Member
bkrausz commented Jul 12, 2014

👍

@bkrausz bkrausz closed this Jul 12, 2014
@bkrausz bkrausz deleted the better-ssl branch Jul 12, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment