Default Minimum TLS Version Set to TLS v1.0 (Cryptographic Weakness)

## Summary: Curl sets TLS v1.0 as the default minimum version, which is outdated and vulnerable to attacks like BEAST, posing a risk to data integrity and confidentiality. This was found through manual code review. No AI was used in identifying the issue or generating this report. ## Affected Version: Version: 8.15.0-DEV (from source code in https://github.com/curl/curl, commit at time of review). Platform: Any using curl with an older OpenSSL version that doesn't enforce a stricter minimum. Output of `curl -V` not applicable as this is a source code issue. ## Steps To Reproduce: 1. Check out the file `./docs/libcurl/opts/CURLOPT_SSLVERSION.md`. You'll see in the documentation that curl sets TLS v1.0 as the default minimum version (since version 7.39.0) when using the `CURL_SSLVERSION_DEFAULT` option, unless the TLS library you're using forces a higher version. 2. In the same GitHub repo, open the file `./lib/vtls/openssl.c` and search for `CURL_SSLVERSION_DEFAULT`. You'll notice that when this default setting is used, curl doesn't set a specific minimum TLS version and just goes with whatever the OpenSSL library defaults to. This can be as low as TLS v1.0 if you're using an older version of OpenSSL. 3. Now, if you build curl with an older OpenSSL version (like anything before 1.1.0) that defaults to TLS v1.0, or just use the `CURL_SSLVERSION_DEFAULT` setting without changing it, curl can end up making connections with TLS v1.0. This is a problem because TLS v1.0 is vulnerable to attacks like BEAST. This can put your data at risk. 4. Want to see the danger? Set up curl to connect to a server that allows TLS v1.0, like a test server or using `openssl s_server`. With default settings or an old OpenSSL library, curl will drop to TLS v1.0. An attacker can then exploit this weak connection to snoop on or mess with the data. ## Supporting Material/References: - `./docs/libcurl/opts/CURLOPT_SSLVERSION.md` (documentation of default TLS v1.0 minimum). - `./lib/vtls/openssl.c` (code handling `CURL_SSLVERSION_DEFAULT` without enforcing a higher minimum). ## Impact ## Summary: An attacker can crack TLS v1.0 using attacks like BEAST to steal data or mess with connections. This happens if curl uses an older OpenSSL library or sticks to the default minimum version. It puts sensitive info at risk on HTTPS/FTPS links, especially for users who don’t know about this default.