[PATCH v4] Allow use of TLS 1.3
Add a tlsv1.3 option to http.sslVersion in addition to the existing tlsv1.[012] options. libcurl has supported this since 7.52.0. This requires OpenSSL 1.1.1 with TLS 1.3 enabled or curl built with recent versions of NSS or BoringSSL as the TLS backend. Signed-off-by: Loganaden Velvindron <lo...@hackers.mu> --- Documentation/config.txt | 1 + http.c | 3 +++ 2 files changed, 4 insertions(+) diff --git a/Documentation/config.txt b/Documentation/config.txt index ce9102cea..f31d62772 100644 --- a/Documentation/config.txt +++ b/Documentation/config.txt @@ -1957,6 +1957,7 @@ http.sslVersion:: - tlsv1.0 - tlsv1.1 - tlsv1.2 + - tlsv1.3 + Can be overridden by the `GIT_SSL_VERSION` environment variable. diff --git a/http.c b/http.c index a5bd5d62c..f84b18551 100644 --- a/http.c +++ b/http.c @@ -62,6 +62,9 @@ static struct { { "tlsv1.1", CURL_SSLVERSION_TLSv1_1 }, { "tlsv1.2", CURL_SSLVERSION_TLSv1_2 }, #endif +#if LIBCURL_VERSION_NUM >= 0x073400 + { "tlsv1.3", CURL_SSLVERSION_TLSv1_3 } +#endif }; #if LIBCURL_VERSION_NUM >= 0x070903 static const char *ssl_key; -- 2.16.2
[PATCH v3] Allow use of TLS 1.3
Add a tlsv1.3 option to http.sslVersion in addition to the existing tlsv1.[012] options. libcurl has supported this since 7.52.0. Signed-off-by: Loganaden Velvindron <lo...@hackers.mu> --- Documentation/config.txt | 1 + http.c | 3 +++ 2 files changed, 4 insertions(+) diff --git a/Documentation/config.txt b/Documentation/config.txt index ce9102cea..f31d62772 100644 --- a/Documentation/config.txt +++ b/Documentation/config.txt @@ -1957,6 +1957,7 @@ http.sslVersion:: - tlsv1.0 - tlsv1.1 - tlsv1.2 + - tlsv1.3 + Can be overridden by the `GIT_SSL_VERSION` environment variable. diff --git a/http.c b/http.c index a5bd5d62c..f84b18551 100644 --- a/http.c +++ b/http.c @@ -62,6 +62,9 @@ static struct { { "tlsv1.1", CURL_SSLVERSION_TLSv1_1 }, { "tlsv1.2", CURL_SSLVERSION_TLSv1_2 }, #endif +#if LIBCURL_VERSION_NUM >= 0x073400 + { "tlsv1.3", CURL_SSLVERSION_TLSv1_3 } +#endif }; #if LIBCURL_VERSION_NUM >= 0x070903 static const char *ssl_key; -- 2.16.2
Re: [PATCH v2] Allow use of TLS 1.3
On Sat, Mar 24, 2018 at 2:04 AM, Junio C Hamano <gits...@pobox.com> wrote: > Daniel Stenberg <dan...@haxx.se> writes: > >> On Fri, 23 Mar 2018, Loganaden Velvindron wrote: >> >>> +#ifdef CURL_SSLVERSION_TLSv1_3 >>> +{ "tlsv1.3", CURL_SSLVERSION_TLSv1_3 } >>> +#endif >> >> Unfortunately, CURL_SSLVERSION_TLSv1_3 is an enum so this construct >> won't work. >> >> Also, let me just point out that 7.52.0 is 0x073400 in hex and not the >> one used for the first version of this patch. > It's working with tls 1.3: ldd for curl (showing linking to openssl 1.1.1 pre2 preview): ldd /usr/local/bin/curl linux-vdso.so.1 (0x7ffd30599000) libcurl.so.4 => /usr/local/lib/libcurl.so.4 (0x7f5a81845000) libssl.so.1.1 => /usr/local/lib/libssl.so.1.1 (0x7f5a815b5000) libcrypto.so.1.1 => /usr/local/lib/libcrypto.so.1.1 (0x7f5a810dd000) libz.so.1 => /usr/lib/libz.so.1 (0x7f5a80ec6000) libpthread.so.0 => /usr/lib/libpthread.so.0 (0x7f5a80ca7000) libc.so.6 => /usr/lib/libc.so.6 (0x7f5a808f2000) libnghttp2.so.14 => /usr/lib/libnghttp2.so.14 (0x7f5a806cd000) libdl.so.2 => /usr/lib/libdl.so.2 (0x7f5a804c9000) /lib/ld-linux-x86-64.so.2 (0x7f5a81ce5000) handshake failure against a tls 1.2 server: GIT_SSL_VERSION=tlsv1.3 ./git clone https://github.com/shuque/pydig Cloning into 'pydig'... warning: templates not found /usr/local/share/git-core/templates fatal: unable to access 'https://github.com/shuque/pydig/': error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure With a local server running nginx using only tls 1.3 (had to disable ssl verification due to self-signed cert): GIT_SSL_NO_VERIFY=true GIT_SSL_VERSION=tlsv1.2 ./git clone https://192.168.1.214/git_test error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version Now with TLS 1.3, it works: GIT_SSL_NO_VERIFY=true GIT_SSL_VERSION=tlsv1.3 ./git clone https://192.168.1.214/git_test > Thanks!
Re: [PATCH v2] Allow use of TLS 1.3
On Sat, Mar 24, 2018 at 1:47 AM, Daniel Stenberg <dan...@haxx.se> wrote: > On Fri, 23 Mar 2018, Loganaden Velvindron wrote: > >> +#ifdef CURL_SSLVERSION_TLSv1_3 >> + { "tlsv1.3", CURL_SSLVERSION_TLSv1_3 } >> +#endif > > > Unfortunately, CURL_SSLVERSION_TLSv1_3 is an enum so this construct won't > work. > > Also, let me just point out that 7.52.0 is 0x073400 in hex and not the one > used for the first version of this patch. > Here's the error i get when I use a recent libcurl, but the OpenSSL wasn't built with tls 1.3: using : GIT_SSL_VERSION=tlsv1.3 Error: OpenSSL was built without TLS 1.3 support > -- > > / daniel.haxx.se
Re: [PATCH v2] Allow use of TLS 1.3
On Sat, Mar 24, 2018 at 1:47 AM, Daniel Stenberg <dan...@haxx.se> wrote: > On Fri, 23 Mar 2018, Loganaden Velvindron wrote: > >> +#ifdef CURL_SSLVERSION_TLSv1_3 >> + { "tlsv1.3", CURL_SSLVERSION_TLSv1_3 } >> +#endif > > > Unfortunately, CURL_SSLVERSION_TLSv1_3 is an enum so this construct won't > work. > > Also, let me just point out that 7.52.0 is 0x073400 in hex and not the one > used for the first version of this patch. > Yeah, v1 patch is broken. I'm sending a v3 patch which is properly tested with OpenSSL preview alpha. > -- > > / daniel.haxx.se
Re: [PATCH v2] Allow use of TLS 1.3
On Sat, Mar 24, 2018 at 1:55 AM, Junio C Hamano <gits...@pobox.com> wrote: > Loganaden Velvindron <lo...@hackers.mu> writes: > >> Subject: Re: [PATCH v2] Allow use of TLS 1.3 > > Let's retitle it to something like > > Subject: [PATCH v2] http: allow use of TLS 1.3 > >> Add a tlsv1.3 option to http.sslVersion in addition to the existing >> tlsv1.[012] options. libcurl has supported this since 7.52.0. > > Good. > >> >> Done during IETF 101 Hackathon > > I am on the fence wrt the value of this line, especially because I > would strongly suspect that this version is not what you wrote and > tested during your Hackathon. Even if it were, would it give value > to future "git log" readers by supplying extra context? > Will remove this line. >> Signed-off-by: Loganaden Velvindron <lo...@hackers.mu> >> --- >> Documentation/config.txt | 2 +- >> http.c | 3 +++ >> 2 files changed, 4 insertions(+), 1 deletion(-) >> >> diff --git a/Documentation/config.txt b/Documentation/config.txt >> index ce9102cea..b18cb9104 100644 >> --- a/Documentation/config.txt >> +++ b/Documentation/config.txt >> @@ -1957,7 +1957,7 @@ http.sslVersion:: >> - tlsv1.0 >> - tlsv1.1 >> - tlsv1.2 >> - >> + - tlsv1.3 >> + > > Before this change, the block that shows the list of versions had > one blank line before and after it. Now we lost the blank line > after the block. Is it intended? Possibilities that come to my > mind as a reviewer are: > > A. There is no difference in the rendered output if we have zero > blank line (i.e. with the patch), or one blank line (i.e. before > the patch applied). > > A.1) the submitter made this change on purpose, because it will > make the source shorter without affecting the output, as a > "clean-up while at it" change. > > A.2) this was an accidental change, which did not break the > output merely because the submitter was lucky. > > B. The rendered output changes due to the lack of the blank line. > > B.1) And it changes in a good way. The submitter made this > change on purpose. > > B.2) And it changes in a bad way, but the submitter did not > notice it. > > Please do not make reviewers wonder. Either avoid making > unnecessary changes (e.g. you could have just added a new line with > tlsv1.3 on it without touching the blank line), or make the change > and explain why you made that change that is not essential for the > purpose of adding tls1.3 which is the main focus of this patch. Alright. > >> Can be overridden by the `GIT_SSL_VERSION` environment variable. >> To force git to use libcurl's default ssl version and ignore any >> diff --git a/http.c b/http.c >> index a5bd5d62c..25eb84c11 100644 >> --- a/http.c >> +++ b/http.c >> @@ -62,6 +62,9 @@ static struct { >> { "tlsv1.1", CURL_SSLVERSION_TLSv1_1 }, >> { "tlsv1.2", CURL_SSLVERSION_TLSv1_2 }, >> #endif >> +#ifdef CURL_SSLVERSION_TLSv1_3 >> + { "tlsv1.3", CURL_SSLVERSION_TLSv1_3 } >> +#endif >> }; > > It seems to me that > > https://github.com/curl/curl/blob/master/include/curl/curl.h#L1956 > > tells me that this #ifdef would not work. Did you test it with the > "test not version but feature" change you made at the last minute? I compiled it. > > I know it is not your fault but is Ævar's, but you're responsible > for double-checking what you are told on the internet ;-) Yes, my fault, not Ævar Arnfjörð Bjarmason . > > Thanks.
Re: [PATCH v2] Allow use of TLS 1.3
On Sat, Mar 24, 2018 at 1:47 AM, Daniel Stenberg <dan...@haxx.se> wrote: > On Fri, 23 Mar 2018, Loganaden Velvindron wrote: > >> +#ifdef CURL_SSLVERSION_TLSv1_3 >> + { "tlsv1.3", CURL_SSLVERSION_TLSv1_3 } >> +#endif > > > Unfortunately, CURL_SSLVERSION_TLSv1_3 is an enum so this construct won't > work. > > Also, let me just point out that 7.52.0 is 0x073400 in hex and not the one > used for the first version of this patch. > Thanks, will fix it. > -- > > / daniel.haxx.se
[PATCH v2] Allow use of TLS 1.3
Add a tlsv1.3 option to http.sslVersion in addition to the existing tlsv1.[012] options. libcurl has supported this since 7.52.0. Done during IETF 101 Hackathon Signed-off-by: Loganaden Velvindron <lo...@hackers.mu> --- Documentation/config.txt | 2 +- http.c | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/Documentation/config.txt b/Documentation/config.txt index ce9102cea..b18cb9104 100644 --- a/Documentation/config.txt +++ b/Documentation/config.txt @@ -1957,7 +1957,7 @@ http.sslVersion:: - tlsv1.0 - tlsv1.1 - tlsv1.2 - + - tlsv1.3 + Can be overridden by the `GIT_SSL_VERSION` environment variable. To force git to use libcurl's default ssl version and ignore any diff --git a/http.c b/http.c index a5bd5d62c..25eb84c11 100644 --- a/http.c +++ b/http.c @@ -62,6 +62,9 @@ static struct { { "tlsv1.1", CURL_SSLVERSION_TLSv1_1 }, { "tlsv1.2", CURL_SSLVERSION_TLSv1_2 }, #endif +#ifdef CURL_SSLVERSION_TLSv1_3 + { "tlsv1.3", CURL_SSLVERSION_TLSv1_3 } +#endif }; #if LIBCURL_VERSION_NUM >= 0x070903 static const char *ssl_key; -- 2.16.2
Re: [PATCH] Allow use of TLS 1.3
On Fri, Mar 23, 2018 at 07:37:08PM +0100, Ævar Arnfjörð Bjarmason wrote: > > On Fri, Mar 23 2018, Loganaden Velvindron wrote: > > > Done during IETF 101 hackathon > > Hi. Thanks. Let's add a meaningful commit message to this though, > something like: > > Add a tlsv1.3 option to http.sslVersion in addition to the existing > tlsv1.[012] options. libcurl has supported this since 7.52.0. Looks good to me. > > > --- a/http.c > > +++ b/http.c > > @@ -61,6 +61,9 @@ static struct { > > { "tlsv1.0", CURL_SSLVERSION_TLSv1_0 }, > > { "tlsv1.1", CURL_SSLVERSION_TLSv1_1 }, > > { "tlsv1.2", CURL_SSLVERSION_TLSv1_2 }, > > +#if LIBCURL_VERSION_NUM >= 0x075200 > > + { "tlsv1.3", CURL_SSLVERSION_TLSv1_3 } > > +#endif > > I wonder if this wouldn't be better as: > > +#ifdef CURL_SSLVERSION_TLSv1_3 > + { "tlsv1.3", CURL_SSLVERSION_TLSv1_3 } > +#endif > > We've been bitten before by doing version checks on libcurl code, only > to find that some distros are actively backporting features, so checking > the specific macros is usually better. This looks good to me as well. I will send Patch v2, with the suggestions. > > > #endif > > }; > > #if LIBCURL_VERSION_NUM >= 0x070903
[PATCH] Allow use of TLS 1.3
Done during IETF 101 hackathon Signed-off-by: Loganaden Velvindron <lo...@hackers.mu> --- Documentation/config.txt | 1 + http.c | 3 +++ 2 files changed, 4 insertions(+) diff --git a/Documentation/config.txt b/Documentation/config.txt index ce9102cea..f31d62772 100644 --- a/Documentation/config.txt +++ b/Documentation/config.txt @@ -1957,6 +1957,7 @@ http.sslVersion:: - tlsv1.0 - tlsv1.1 - tlsv1.2 + - tlsv1.3 + Can be overridden by the `GIT_SSL_VERSION` environment variable. diff --git a/http.c b/http.c index 8c11156ae..666fe31f3 100644 --- a/http.c +++ b/http.c @@ -61,6 +61,9 @@ static struct { { "tlsv1.0", CURL_SSLVERSION_TLSv1_0 }, { "tlsv1.1", CURL_SSLVERSION_TLSv1_1 }, { "tlsv1.2", CURL_SSLVERSION_TLSv1_2 }, +#if LIBCURL_VERSION_NUM >= 0x075200 + { "tlsv1.3", CURL_SSLVERSION_TLSv1_3 } +#endif #endif }; #if LIBCURL_VERSION_NUM >= 0x070903 -- 2.16.2