problems if your CA cert does not have the certificates for the
intermediates in the whole trust chain.
-SSL version
+Protocol version
Some broken servers fail to support the protocol negotiation properly that
SSL servers are supposed to handle. This may cause the connection to fail
An additional complication can be that modern SSL libraries sometimes are
built with support for older SSL and TLS versions disabled!
-SSL ciphers
+ All versions of SSL are considered insecure and should be avoided. Use TLS.
+
+Ciphers
Clients give servers a list of ciphers to select from. If the list doesn't
include any ciphers the server wants/can use, the connection handshake
Note that these weak ciphers are identified as flawed. For example, this
includes symmetric ciphers with less than 128 bit keys and RC4.
+ WinSSL in Windows XP is not able to connect to servers that no longer
+ support the legacy handshakes and algorithms used by those versions, so we
+ advice against building curl to use WinSSL on really old Windows versions.
+
References:
- http://tools.ietf.org/html/draft-popov-tls-prohibiting-rc4-01
+ https://tools.ietf.org/html/draft-popov-tls-prohibiting-rc4-01
Allow BEAST
introduced. Exactly as it sounds, it re-introduces the BEAST vulnerability
but on the other hand it allows curl to connect to that kind of strange
servers.
+
+Disabling certificate revocation checks
+
+ Some SSL backends may do certificate revocation checks (CRL, OCSP, etc)
+ depending on the OS or build configuration. The --ssl-no-revoke option was
+ introduced in 7.44.0 to disable revocation checking but currently is only
+ supported for WinSSL (the native Windows SSL library), with an exception in
+ the case of Windows' Untrusted Publishers blacklist which it seems can't be
+ bypassed. This option may have broader support to accommodate other SSL
+ backends in the future.
+
+ References:
+
+ http://curl.haxx.se/docs/ssl-compared.html