curl will negotiate insecure TLS cipher suites
| Originator: | alex.gaynor | ||
| Number: | rdar://18388314 | Date Originated: | 9/18/2014 |
| Status: | Open | Resolved: | |
| Product: | OS X | Product Version: | 10.9.5 |
| Classification: | Reproducible: | Yes |
Summary:
When performing a TLS handshake, curl offers insecure cipher suites.
Steps to Reproduce:
1. Run ``curl https://www.howsmyssl.com/a/check | python -mjson.tool``
2. Observe that "How's my SSL" reports that insecure cipher suites are offered
Expected Results:
I expect for "insecure_cipher_suites" to be an empty list.
Actual Results:
"insecure_cipher_suites": {
"TLS_PSK_WITH_NULL_SHA": [
"specifies no encryption at all for the connection"
],
"TLS_PSK_WITH_NULL_SHA256": [
"specifies no encryption at all for the connection"
],
"TLS_PSK_WITH_NULL_SHA384": [
"specifies no encryption at all for the connection"
],
"TLS_RSA_WITH_NULL_SHA256": [
"specifies no encryption at all for the connection"
]
},
Version:
OS X 10.9.5
Notes:
Configuration:
Attachments:
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!