Hi, I am the maintainer of hddsuperclone, which uses the curl library. At the moment it is initializing the curl library like this: curl = curl_easy_init(); But a security audit suggested that we should be using curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2); to avoid downgrade attacks. I personally dislike to hardcode certain TLS versions into the sourcecode, since it might get forgotten and might cause compatibility issues with TLSv1_4 or TLSv1_5 a few years down the road. Therefore I think it might be a better idea to offer an API where the applications could specify, whether they want to support only the most recent TLS version(s) that are deemed secure, or whether it should also support slighty older versions that are needed for compatibility.
Or is there such a solution already available that I couldn't find? Best regards, Philipp Gühring -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
