CURLOPT_SSL_CIPHER_LIST example in the docs

Jeffrey Walton via curl-library Mon, 12 Dec 2022 10:05:42 -0800

Hi Everyone,

Re: https://curl.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html


I 'm not sure this is a good example of CURLOPT_SSL_CIPHER_LIST. The
example uses "TLSv1", which is probably a better example for
CURLOPT_SSLVERSION.

    curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/";);
    curl_easy_setopt(curl, CURLOPT_SSL_CIPHER_LIST, "TLSv1");
    ret = curl_easy_perform(curl);
    curl_easy_cleanup(curl);

I think the example would be more useful if it supplied something more
practical, like the following:

    const char cipher_suites[] =
        "HIGH:!aNULL:!kRSA:!PSK:!SRP:!
MD5:!RC4";
    curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/";);
    curl_easy_setopt(curl, CURLOPT_SSL_CIPHER_LIST, cipher_suites);
    ret = curl_easy_perform(curl);
    curl_easy_cleanup(curl);

The cipher suites list has several benefits to users:

  * selects High strength TLS ciphers.
  * removes RSA key transport (!kRSA), but keeps RSA authentication (auRSA).
  * removes unneeded cipher suites, like PSK and SRP.
  * removes some weak and wounded algorithms, like MD5 and RC4.
  * facilitates a very small ClientHello, with 50 ciphers or so.

Jeff
-- 
Unsubscribe: https://lists.haxx.se/listinfo/curl-library
Etiquette:   https://curl.se/mail/etiquette.html

CURLOPT_SSL_CIPHER_LIST example in the docs

Reply via email to