Hi guys, Our MacOS client application uses libcurl backed by Darwin-SSL (Secure Transport) to send and receive some data. Now we need to work in FIPS 140-2 mode and I found that libCurl doesn't support limiting cipher suites for Secure Transport case. Source code vtls/sectransp.c just gets list of SSL/TLS ciphers by calling SSLGetSupportedCiphers, filters out some weak ciphers and then sets list of them (SSLSetEnabledCiphers) for negotiation with server. It ignores the value of the CURLOPT_SSL_CIPHER_LIST option and caller has no control on cipher suites hence we cannot specify only FIPS 140-2 ciphers to be used, etc.
Does it make sense to add the CURLOPT_SSL_CIPHER_LIST option support in sectransp.c code and limit client cipher suites to its value? I think it would be nice to have Secure Transport feature parity with OpenSSL, WolfSSL, NSS and other libraries. If someone knows more details why it was not implemented before or some hidden problems, I very appreciate your help. I am new to libCurl and Secure Transport, so if you know it won't work or some other issues, it would be extremely helpful. Thank you, Michael
------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
