curl and openSSL

Wed Apr 13 08:07:25 UTC 2022

On Tue, Apr 12, 2022 at 02:16:08PM -0700, James Secan wrote:
> It’s a US Gov’t site (NASA): cddis.nasa.gov.  I’m accessing data on
> their Space Geodesy Data archive, pulling files from directory
> archive/gnss/products/ionex.  I filed an initial complaint with them
> yesterday before I knew in detail what was going on and had a response
> asking for more info this morning.  I’ve sent them everything I know,
> but have heard nothing back.  That was just this morning, so it’s too
> soon to be getting antsy about a response from them.

Their server does not include a RFC5746 renegotiation_info extension in
its ServerHello message. Modern TLS clients such as OpenSSL 3 consider
this insecure. See https://datatracker.ietf.org/doc/html/rfc5746 for
more details.

-- 
Clemens