Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use TLSv1.3 with curl if specified at all #1670

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Use TLSv1.3 with curl if specified at all #1670

wants to merge 1 commit into from

Conversation

pothos
Copy link

@pothos pothos commented May 27, 2022

The curl option specified to use TLSv1.2 explicity while nowadays 1.3
is availalble and recommended.
Switch to specifying 1.3 instead of 1.2 for the command that downloads
the install script.

See rust-lang/book#3130 and rust-lang/rustup#2996

@pothos
Use TLSv1.3 with curl if specified at all
883199b 
The curl option specified to use TLSv1.2 explicity while nowadays 1.3
is availalble and recommended.
Switch to specifying 1.3 instead of 1.2 for the command that downloads
the install script.
@pothos pothos requested a review from a team as a code owner May 27, 2022 01:37
@pothos pothos mentioned this pull request May 27, 2022
Closed
@Manishearth
Copy link
Member

r? @rust-lang/release

@Mark-Simulacrum
Copy link
Member

Do you have links/pointers to changelogs for curl and the likelihood of this option being available in distros etc? I'd want us to avoid suggesting a command that will fail for users in practice due to an older curl locally, particularly when (AIUI) the security benefits in this case are likely to be fairly small.

@cuviper
Copy link
Member

cuviper commented May 27, 2022

For a quick sample -- RHEL7 has curl --tlsv1.3, but RHEL6 does not.

@cuviper
Copy link
Member

cuviper commented May 27, 2022

https://daniel.haxx.se/blog/2018/03/27/play-tls-1-3-with-curl/

curl and libcurl has supported an explicit option to select TLS 1.3 since curl 7.52.0 (December 2016) and assuming you build curl to use a TLS library with support, you’ve been able to use TLS 1.3 with curl since at least then. The support has gradually been expanded to cover more and more libraries since then.

RHEL7 only has curl 7.29.0, but the --tlsv1.3 option was backported.

@cuviper
Copy link
Member

cuviper commented May 27, 2022

Also, curl/curl#2994 updated the help text to say that these options are all "or greater", implying that was already the case, so --tlsv1.2 would still allow a TLSv1.3 connection if possible.

@pothos
Copy link
Author

pothos commented May 28, 2022

Makes sense to leave it at 1.2 for longer then. Primary motivation was to have the usage of the command aligned in the website, book, and the rustup website/docs, and a PR for this got merged for the book.

For security concerns I assume that the server uses the ciphers for 1.2 that are marked secure in https://en.wikipedia.org/wiki/Transport_Layer_Security#Cipher - Not sure about the details of possible TLS 1.2 MITM attacks but I think the TLS cipher matters only if we assume there is a possible attack where the correct server gets connected and the cert gets validated but later in the connection the attacker would inject something and send wrong data (Does this even exist?). In other cases like a malicious server/certificate being accepted in the connection then the cipher selection doesn't matter much. So I would say as long as HTTPS is used it's not really important here to enforce TLS 1.3.

@pothos pothos mentioned this pull request Aug 15, 2022
Closed
@yerke yerke mentioned this pull request Jun 17, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@pothos @Manishearth @Mark-Simulacrum @cuviper