+++ This bug was initially created as a clone of Bug #1154060 +++ +++ This bug was initially created as a clone of Bug #1154059 +++ We should disable the retry-with-SSL-3.0 behavior in curl because it can be trivially triggered by an on-path attacker to cause a protocol downgrade, and SSL 3.0 has several known weaknesses. This curl behavior is quite surprising because it is restricted to the NSS backend, and other systems which use the OpenSSL or GNUTLS backend do not share this behavior. At this stage, it is best to leave SSL 3.0 enabled. (The in-protocol version negotiation has not been broken, sosome TLS version will be used automatically if supported by the server.) This might reintroduce bug 525496 and bug 527771, so a system-wide knob to re-enable the SSL 3.0 fallback might be necessary. Perhaps the existence of a file like /etc/sysconfig/curl/enable-ssl-fallback could re-enable the old behavior. --- Additional comment from Kamil Dudka on 2014-10-29 15:26:08 CET --- The code in question has been removed from upstream libcurl: https://github.com/bagder/curl/compare/07048941a4...276741af4d
curl-7.37.0-10.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/curl-7.37.0-10.fc21
curl-7.29.0-26.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/curl-7.29.0-26.fc19
curl-7.32.0-16.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/curl-7.32.0-16.fc20
Package curl-7.32.0-16.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing curl-7.32.0-16.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-15706/curl-7.32.0-16.fc20 then log in and leave karma (feedback).
curl-7.32.0-16.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
curl-7.37.0-11.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/curl-7.37.0-11.fc21
curl-7.32.0-17.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/curl-7.32.0-17.fc20
curl-7.29.0-27.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/curl-7.29.0-27.fc19
curl-7.37.0-10.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
curl-7.32.0-17.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
curl-7.37.0-11.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
curl-7.29.0-27.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.