@ab, would appreciate if you could take a look.
Explicitly set a cipher suite list that doesn't include EXPORT ciphers
(Everything on my laptop seems to suffer from https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1256576/comments/4)
Looks plausible, but it will break anyone using curl compiled against NSS (i.e. Fedora).
@ebroder - is this still something we want? Is it going to cause issues with some users?
As mentioned before, this will break anyone using curl compiled against NSS rather than OpenSSL, so we can't use as is.
Is there a fix? I know nothing about cypher lists, and even less about NSS.
I don't know much about php-curl except that it can be compiled against several different SSL libraries, each of which have incompatible ways to specify things like cipher suites. There may be a way to detect what library it's linked against, in which case you could pass the appropriate config for each of NSS, OpenSSL, (maybe even SecureTransport, not sure if php-curl on OS X uses it these days). I'd have to research the appropriate syntax, since I only know a tiny bit about setting cipher suites for NSS.
Honestly I'm not sure this is worth spending all that much time on since we control the cipher list on the server side, and we're not talking to arbitrary servers.