Poodle fix for all the users of libcurl

As you know, SSLv3, most popular TLS protocol, is announced as victim of this Poodle vulnerability. After this announcement, all the enterprise community rushed to disable SSLv3 & SSLv2 protocols as part of their security enforcements. This page explains the similar fix for libcurl users and particularly for those who are still users of old libcurl versions like 7.15.x etc.

This page explains the fix for libcurl 7.15.x version.

Solution to Poodle vulnerability is to disable SSLv3 & SSLv2 protocols in TLS communication. libcurl by default uses SSLv3 for TLS. Now there is another option to enforce libcurl to use TLS 1.0 as SSL protocol using following code.

curl_easy_setopt(curl, CURLOPT_SSL_CIPHER_LIST, (char*)"TLSv1");

The above code tells libcurl to use only TLS 1.x protocol and respective cipher suites for SSL communication. For those, who can afford for libcurl version upgrade, you can directly go to libcurl home page and get the latest with the Poodle fix.

Without this fix, and your server not supporting SSLv3 or SSLv2 protocol stack, your curl client ends into following error.

error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

This error tells that server unable to provide handshake to client hello as server not supporting SSLv3.

For any issues/queries, you can mail/comment in this page. Thanks 🙂 .

Leave a Reply

Your email address will not be published. Required fields are marked *