aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--docs/Makefile.am5
-rw-r--r--docs/SSL-PROBLEMS61
2 files changed, 64 insertions, 2 deletions
diff --git a/docs/Makefile.am b/docs/Makefile.am
index d3c3d40d1..1f92911a4 100644
--- a/docs/Makefile.am
+++ b/docs/Makefile.am
@@ -5,7 +5,7 @@
# | (__| |_| | _ <| |___
# \___|\___/|_| \_\_____|
#
-# Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+# Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
#
# This software is licensed as described in the file COPYING, which
# you should have received as part of this distribution. The terms
@@ -37,7 +37,8 @@ EXTRA_DIST = MANUAL BUGS CONTRIBUTE FAQ FEATURES INTERNALS SSLCERTS \
README.win32 RESOURCES TODO TheArtOfHttpScripting THANKS VERSIONS \
KNOWN_BUGS BINDINGS $(man_MANS) $(HTMLPAGES) HISTORY INSTALL \
$(PDFPAGES) LICENSE-MIXING README.netware DISTRO-DILEMMA INSTALL.devcpp \
- MAIL-ETIQUETTE HTTP-COOKIES LIBCURL-STRUCTS SECURITY RELEASE-PROCEDURE
+ MAIL-ETIQUETTE HTTP-COOKIES LIBCURL-STRUCTS SECURITY RELEASE-PROCEDURE \
+ SSL-PROBLEMS
MAN2HTML= roffit < $< >$@
diff --git a/docs/SSL-PROBLEMS b/docs/SSL-PROBLEMS
new file mode 100644
index 000000000..c04b71c14
--- /dev/null
+++ b/docs/SSL-PROBLEMS
@@ -0,0 +1,61 @@
+ _ _ ____ _
+ ___| | | | _ \| |
+ / __| | | | |_) | |
+ | (__| |_| | _ <| |___
+ \___|\___/|_| \_\_____|
+
+SSL problems
+
+ First, let's establish that we often refer to TLS and SSL interchangably as
+ SSL here. The current protocol is called TLS, it was called SSL a long time
+ ago.
+
+ There are several known reasons why a connection that involves SSL might
+ fail. This is a document that attempts to details the most common ones and
+ how to mitigate them.
+
+CA certs
+
+ CA certs are used to digitally verify the server's certificate. You need a
+ "ca bundle" for this. See lots of more details on this in the SSLCERTS
+ document.
+
+SSL version
+
+ Some broken servers fail to support the protocol negotiation properly that
+ SSL servers are supposed to handle. This may cause the connection to fail
+ completely. Sometimes you may need to explicity select a SSL version to use
+ when connecting to make the connection succeed.
+
+ An additional complication can be that modern SSL libraries sometimes are
+ built with support for older SSL and TLS versions disabled!
+
+SSL ciphers
+
+ Clients give servers a list of ciphers to select from. If the list doens't
+ include any ciphers the server wants/can use, the connection handshake
+ fails.
+
+ curl has recently disabled the user of a whole bunch of seriously insecure
+ ciphers from its default set (slightly depending on SSL backend in use).
+
+ You may have to explicitly provide an alternative list of ciphers for curl
+ to use to allow the server to use a WEAK cipher for you.
+
+ Note that these weak ciphers are identified as flawed. For example, this
+ includes symmetric ciphers with less than 128 bit keys and RC4.
+
+ References:
+
+ http://tools.ietf.org/html/draft-popov-tls-prohibiting-rc4-01
+
+Allow BEAST
+
+ BEAST is the name of a TLS 1.0 attack that surfaced 2011. When adding means
+ to mitigate this attack, it turned out that some broken servers out there in
+ the wild didn't work properly with the BEAST mitigation in place.
+
+ To make such broken servers work, the --ssl-allow-beast option was
+ introduced. Exactly as it sounds, it re-introduces the BEAST vulnerability
+ but on the other hand it allows curl to connect to that kind of strange
+ servers.