I hope I’m not being too impolite with a triple post, but there is one more thing to mention. The current WebPositive (as of h48882) is pretty much letting the defaults (the whole range) come through (which is what you’re referring to in your response). Whether that is good or not is a judgement. But, other distros are limiting the stuff with the worst publicity - at some level (either low (lib) or high (app), depending on distro).
In the previous post (which I can’t edit) I made a mis-statement. I said, “…then the feature set changes would have to be made at a lower level than curl.” That’s not necessarily true, of course. I made a similar statement about polarssl, which I modified at a lower level so that the curl program (as opposed to the library) would exhibit the features I wanted. It was easier for me to just change libpolarssl, but I certainly could have done it at a higher level.
So, each lib or app can hard wire things, or just leave it up to the user. I suspect that app level stuff may be more subject to misconfigurations and unintended overrides, however. Also, some of the items I mentioned are really exploit vulnerabilities, which should be mitigated at the lowest level possible. Maybe that would prompt an upgrade to another version, rather than just tweaking features.
It’s better to give all the options to the applications, of course. Yet, I think a probable reason that some distros limit things at maybe a lower level has to do with the way the https handshake is done. The browser* submits a list of acceptable (to the browser) suites, but THE SERVER gets to choose which one to use. Some servers will choose the poorest suite, because it’s faster to process (for the server). It’s kind of a problem for the https protocol.
So, I understand your idea to alert or warn in the browser. Maybe, it’s the user who should decide whether the use of a particular suite is “deadly” or not. Some distros go with that idea, and some restrict choices on the basis that many users are unsavvy. It’s a hard choice, and one often avoided so as not to be culpable in any way. So, that’s why (as a non expert) - I stay away from those kinds of decisions.
I ain’t the expert - but I might have guessed some of the parameters. I’m just digging holes in the ground, sniffin some bones. Any user of Webpositive can just go to https://www.ssllabs.com/ssltest/viewMyClient.html to get a pretty good grasp of the situation. I considered it to be “too wide open” - so switched to polarssl. I chose that library because it made tweaking out the bad cipher suites and protocol versions pretty easy. What I did in the polar lib probably could have been done at a higher level, but it was convenient for me to change the low end. Since the browser accepts all that the lower libraries permit (AFAIK), the only alternative would have been to modify curl or the browser itself. I’ve been leaving that up to the Haiku devs
- “Browser” is a misnomer. It’s really “the client” which may be curl, a custom ssl lib, etc.