Mercurial > hgrepos > Python2 > PyMuPDF

comparison mupdf-source/thirdparty/curl/docs/SSL-PROBLEMS.md @ 2:b50eed0cc0ef upstream

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4. The directory name has changed: no version number in the expanded directory now.
author Franz Glasner <fzglas.hg@dom66.de>
date Mon, 15 Sep 2025 11:43:07 +0200
parents
children
comparison
equal deleted inserted replaced
1:1d09e1dec1d9 2:b50eed0cc0ef
1 _ _ ____ _
2 ___| | | | _ \| |
3 / __| | | | |_) | |
4 | (__| |_| | _ <| |___
5 \___|\___/|_| \_\_____|
6
7 # SSL problems
8
9 First, let's establish that we often refer to TLS and SSL interchangeably as
10 SSL here. The current protocol is called TLS, it was called SSL a long time
11 ago.
12
13 There are several known reasons why a connection that involves SSL might
14 fail. This is a document that attempts to details the most common ones and
15 how to mitigate them.
16
17 ## CA certs
18
19 CA certs are used to digitally verify the server's certificate. You need a
20 "ca bundle" for this. See lots of more details on this in the SSLCERTS
21 document.
22
23 ## CA bundle missing intermediate certificates
24
25 When using said CA bundle to verify a server cert, you will experience
26 problems if your CA cert does not have the certificates for the
27 intermediates in the whole trust chain.
28
29 ## Protocol version
30
31 Some broken servers fail to support the protocol negotiation properly that
32 SSL servers are supposed to handle. This may cause the connection to fail
33 completely. Sometimes you may need to explicitly select a SSL version to use
34 when connecting to make the connection succeed.
35
36 An additional complication can be that modern SSL libraries sometimes are
37 built with support for older SSL and TLS versions disabled!
38
39 All versions of SSL are considered insecure and should be avoided. Use TLS.
40
41 ## Ciphers
42
43 Clients give servers a list of ciphers to select from. If the list doesn't
44 include any ciphers the server wants/can use, the connection handshake
45 fails.
46
47 curl has recently disabled the user of a whole bunch of seriously insecure
48 ciphers from its default set (slightly depending on SSL backend in use).
49
50 You may have to explicitly provide an alternative list of ciphers for curl
51 to use to allow the server to use a WEAK cipher for you.
52
53 Note that these weak ciphers are identified as flawed. For example, this
54 includes symmetric ciphers with less than 128 bit keys and RC4.
55
56 Schannel in Windows XP is not able to connect to servers that no longer
57 support the legacy handshakes and algorithms used by those versions, so we
58 advice against building curl to use Schannel on really old Windows versions.
59
60 References:
61
62 https://tools.ietf.org/html/draft-popov-tls-prohibiting-rc4-01
63
64 ## Allow BEAST
65
66 BEAST is the name of a TLS 1.0 attack that surfaced 2011. When adding means
67 to mitigate this attack, it turned out that some broken servers out there in
68 the wild didn't work properly with the BEAST mitigation in place.
69
70 To make such broken servers work, the --ssl-allow-beast option was
71 introduced. Exactly as it sounds, it re-introduces the BEAST vulnerability
72 but on the other hand it allows curl to connect to that kind of strange
73 servers.
74
75 ## Disabling certificate revocation checks
76
77 Some SSL backends may do certificate revocation checks (CRL, OCSP, etc)
78 depending on the OS or build configuration. The --ssl-no-revoke option was
79 introduced in 7.44.0 to disable revocation checking but currently is only
80 supported for Schannel (the native Windows SSL library), with an exception
81 in the case of Windows' Untrusted Publishers blacklist which it seems can't
82 be bypassed. This option may have broader support to accommodate other SSL
83 backends in the future.
84
85 References:
86
87 https://curl.haxx.se/docs/ssl-compared.html