[PATCH v4] Allow use of TLS 1.3
Add a tlsv1.3 option to http.sslVersion in addition to the existing
tlsv1.[012] options. libcurl has supported this since 7.52.0.
This requires OpenSSL 1.1.1 with TLS 1.3 enabled or curl built with
recent versions of NSS or BoringSSL as the TLS backend.
Signed-off-by: Loganaden Velvindron <lo...@hackers.mu>
---
Documentation/config.txt | 1 +
http.c | 3 +++
2 files changed, 4 insertions(+)
diff --git a/Documentation/config.txt b/Documentation/config.txt
index ce9102cea..f31d62772 100644
--- a/Documentation/config.txt
+++ b/Documentation/config.txt
@@ -1957,6 +1957,7 @@ http.sslVersion::
- tlsv1.0
- tlsv1.1
- tlsv1.2
+ - tlsv1.3
+
Can be overridden by the `GIT_SSL_VERSION` environment variable.
diff --git a/http.c b/http.c
index a5bd5d62c..f84b18551 100644
--- a/http.c
+++ b/http.c
@@ -62,6 +62,9 @@ static struct {
{ "tlsv1.1", CURL_SSLVERSION_TLSv1_1 },
{ "tlsv1.2", CURL_SSLVERSION_TLSv1_2 },
#endif
+#if LIBCURL_VERSION_NUM >= 0x073400
+ { "tlsv1.3", CURL_SSLVERSION_TLSv1_3 }
+#endif
};
#if LIBCURL_VERSION_NUM >= 0x070903
static const char *ssl_key;
--
2.16.2
[PATCH v3] Allow use of TLS 1.3
Add a tlsv1.3 option to http.sslVersion in addition to the existing
tlsv1.[012] options. libcurl has supported this since 7.52.0.
Signed-off-by: Loganaden Velvindron <lo...@hackers.mu>
---
Documentation/config.txt | 1 +
http.c | 3 +++
2 files changed, 4 insertions(+)
diff --git a/Documentation/config.txt b/Documentation/config.txt
index ce9102cea..f31d62772 100644
--- a/Documentation/config.txt
+++ b/Documentation/config.txt
@@ -1957,6 +1957,7 @@ http.sslVersion::
- tlsv1.0
- tlsv1.1
- tlsv1.2
+ - tlsv1.3
+
Can be overridden by the `GIT_SSL_VERSION` environment variable.
diff --git a/http.c b/http.c
index a5bd5d62c..f84b18551 100644
--- a/http.c
+++ b/http.c
@@ -62,6 +62,9 @@ static struct {
{ "tlsv1.1", CURL_SSLVERSION_TLSv1_1 },
{ "tlsv1.2", CURL_SSLVERSION_TLSv1_2 },
#endif
+#if LIBCURL_VERSION_NUM >= 0x073400
+ { "tlsv1.3", CURL_SSLVERSION_TLSv1_3 }
+#endif
};
#if LIBCURL_VERSION_NUM >= 0x070903
static const char *ssl_key;
--
2.16.2
Re: [PATCH v2] Allow use of TLS 1.3
On Sat, Mar 24, 2018 at 2:04 AM, Junio C Hamano <gits...@pobox.com> wrote:
> Daniel Stenberg <dan...@haxx.se> writes:
>
>> On Fri, 23 Mar 2018, Loganaden Velvindron wrote:
>>
>>> +#ifdef CURL_SSLVERSION_TLSv1_3
>>> +{ "tlsv1.3", CURL_SSLVERSION_TLSv1_3 }
>>> +#endif
>>
>> Unfortunately, CURL_SSLVERSION_TLSv1_3 is an enum so this construct
>> won't work.
>>
>> Also, let me just point out that 7.52.0 is 0x073400 in hex and not the
>> one used for the first version of this patch.
>
It's working with tls 1.3:
ldd for curl (showing linking to openssl 1.1.1 pre2 preview):
ldd /usr/local/bin/curl
linux-vdso.so.1 (0x7ffd30599000)
libcurl.so.4 => /usr/local/lib/libcurl.so.4 (0x7f5a81845000)
libssl.so.1.1 => /usr/local/lib/libssl.so.1.1 (0x7f5a815b5000)
libcrypto.so.1.1 => /usr/local/lib/libcrypto.so.1.1 (0x7f5a810dd000)
libz.so.1 => /usr/lib/libz.so.1 (0x7f5a80ec6000)
libpthread.so.0 => /usr/lib/libpthread.so.0 (0x7f5a80ca7000)
libc.so.6 => /usr/lib/libc.so.6 (0x7f5a808f2000)
libnghttp2.so.14 => /usr/lib/libnghttp2.so.14 (0x7f5a806cd000)
libdl.so.2 => /usr/lib/libdl.so.2 (0x7f5a804c9000)
/lib/ld-linux-x86-64.so.2 (0x7f5a81ce5000)
handshake failure against a tls 1.2 server:
GIT_SSL_VERSION=tlsv1.3 ./git clone https://github.com/shuque/pydig
Cloning into 'pydig'...
warning: templates not found /usr/local/share/git-core/templates
fatal: unable to access 'https://github.com/shuque/pydig/':
error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake
failure
With a local server running nginx using only tls 1.3 (had to disable
ssl verification due to self-signed cert):
GIT_SSL_NO_VERIFY=true GIT_SSL_VERSION=tlsv1.2 ./git clone
https://192.168.1.214/git_test
error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version
Now with TLS 1.3, it works:
GIT_SSL_NO_VERIFY=true GIT_SSL_VERSION=tlsv1.3 ./git clone
https://192.168.1.214/git_test
> Thanks!
Re: [PATCH v2] Allow use of TLS 1.3
On Sat, Mar 24, 2018 at 1:47 AM, Daniel Stenberg <dan...@haxx.se> wrote:
> On Fri, 23 Mar 2018, Loganaden Velvindron wrote:
>
>> +#ifdef CURL_SSLVERSION_TLSv1_3
>> + { "tlsv1.3", CURL_SSLVERSION_TLSv1_3 }
>> +#endif
>
>
> Unfortunately, CURL_SSLVERSION_TLSv1_3 is an enum so this construct won't
> work.
>
> Also, let me just point out that 7.52.0 is 0x073400 in hex and not the one
> used for the first version of this patch.
>
Here's the error i get when I use a recent libcurl, but the OpenSSL
wasn't built with tls 1.3:
using : GIT_SSL_VERSION=tlsv1.3
Error:
OpenSSL was built without TLS 1.3 support
> --
>
> / daniel.haxx.se
Re: [PATCH v2] Allow use of TLS 1.3
On Sat, Mar 24, 2018 at 1:47 AM, Daniel Stenberg <dan...@haxx.se> wrote:
> On Fri, 23 Mar 2018, Loganaden Velvindron wrote:
>
>> +#ifdef CURL_SSLVERSION_TLSv1_3
>> + { "tlsv1.3", CURL_SSLVERSION_TLSv1_3 }
>> +#endif
>
>
> Unfortunately, CURL_SSLVERSION_TLSv1_3 is an enum so this construct won't
> work.
>
> Also, let me just point out that 7.52.0 is 0x073400 in hex and not the one
> used for the first version of this patch.
>
Yeah, v1 patch is broken. I'm sending a v3 patch which is properly
tested with OpenSSL preview alpha.
> --
>
> / daniel.haxx.se
Re: [PATCH v2] Allow use of TLS 1.3
On Sat, Mar 24, 2018 at 1:55 AM, Junio C Hamano <gits...@pobox.com> wrote:
> Loganaden Velvindron <lo...@hackers.mu> writes:
>
>> Subject: Re: [PATCH v2] Allow use of TLS 1.3
>
> Let's retitle it to something like
>
> Subject: [PATCH v2] http: allow use of TLS 1.3
>
>> Add a tlsv1.3 option to http.sslVersion in addition to the existing
>> tlsv1.[012] options. libcurl has supported this since 7.52.0.
>
> Good.
>
>>
>> Done during IETF 101 Hackathon
>
> I am on the fence wrt the value of this line, especially because I
> would strongly suspect that this version is not what you wrote and
> tested during your Hackathon. Even if it were, would it give value
> to future "git log" readers by supplying extra context?
>
Will remove this line.
>> Signed-off-by: Loganaden Velvindron <lo...@hackers.mu>
>> ---
>> Documentation/config.txt | 2 +-
>> http.c | 3 +++
>> 2 files changed, 4 insertions(+), 1 deletion(-)
>>
>> diff --git a/Documentation/config.txt b/Documentation/config.txt
>> index ce9102cea..b18cb9104 100644
>> --- a/Documentation/config.txt
>> +++ b/Documentation/config.txt
>> @@ -1957,7 +1957,7 @@ http.sslVersion::
>> - tlsv1.0
>> - tlsv1.1
>> - tlsv1.2
>> -
>> + - tlsv1.3
>> +
>
> Before this change, the block that shows the list of versions had
> one blank line before and after it. Now we lost the blank line
> after the block. Is it intended? Possibilities that come to my
> mind as a reviewer are:
>
> A. There is no difference in the rendered output if we have zero
> blank line (i.e. with the patch), or one blank line (i.e. before
> the patch applied).
>
> A.1) the submitter made this change on purpose, because it will
> make the source shorter without affecting the output, as a
> "clean-up while at it" change.
>
> A.2) this was an accidental change, which did not break the
> output merely because the submitter was lucky.
>
> B. The rendered output changes due to the lack of the blank line.
>
> B.1) And it changes in a good way. The submitter made this
> change on purpose.
>
> B.2) And it changes in a bad way, but the submitter did not
> notice it.
>
> Please do not make reviewers wonder. Either avoid making
> unnecessary changes (e.g. you could have just added a new line with
> tlsv1.3 on it without touching the blank line), or make the change
> and explain why you made that change that is not essential for the
> purpose of adding tls1.3 which is the main focus of this patch.
Alright.
>
>> Can be overridden by the `GIT_SSL_VERSION` environment variable.
>> To force git to use libcurl's default ssl version and ignore any
>> diff --git a/http.c b/http.c
>> index a5bd5d62c..25eb84c11 100644
>> --- a/http.c
>> +++ b/http.c
>> @@ -62,6 +62,9 @@ static struct {
>> { "tlsv1.1", CURL_SSLVERSION_TLSv1_1 },
>> { "tlsv1.2", CURL_SSLVERSION_TLSv1_2 },
>> #endif
>> +#ifdef CURL_SSLVERSION_TLSv1_3
>> + { "tlsv1.3", CURL_SSLVERSION_TLSv1_3 }
>> +#endif
>> };
>
> It seems to me that
>
> https://github.com/curl/curl/blob/master/include/curl/curl.h#L1956
>
> tells me that this #ifdef would not work. Did you test it with the
> "test not version but feature" change you made at the last minute?
I compiled it.
>
> I know it is not your fault but is Ævar's, but you're responsible
> for double-checking what you are told on the internet ;-)
Yes, my fault, not Ævar Arnfjörð Bjarmason .
>
> Thanks.
Re: [PATCH v2] Allow use of TLS 1.3
On Sat, Mar 24, 2018 at 1:47 AM, Daniel Stenberg <dan...@haxx.se> wrote:
> On Fri, 23 Mar 2018, Loganaden Velvindron wrote:
>
>> +#ifdef CURL_SSLVERSION_TLSv1_3
>> + { "tlsv1.3", CURL_SSLVERSION_TLSv1_3 }
>> +#endif
>
>
> Unfortunately, CURL_SSLVERSION_TLSv1_3 is an enum so this construct won't
> work.
>
> Also, let me just point out that 7.52.0 is 0x073400 in hex and not the one
> used for the first version of this patch.
>
Thanks, will fix it.
> --
>
> / daniel.haxx.se
[PATCH v2] Allow use of TLS 1.3
Add a tlsv1.3 option to http.sslVersion in addition to the existing
tlsv1.[012] options. libcurl has supported this since 7.52.0.
Done during IETF 101 Hackathon
Signed-off-by: Loganaden Velvindron <lo...@hackers.mu>
---
Documentation/config.txt | 2 +-
http.c | 3 +++
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/Documentation/config.txt b/Documentation/config.txt
index ce9102cea..b18cb9104 100644
--- a/Documentation/config.txt
+++ b/Documentation/config.txt
@@ -1957,7 +1957,7 @@ http.sslVersion::
- tlsv1.0
- tlsv1.1
- tlsv1.2
-
+ - tlsv1.3
+
Can be overridden by the `GIT_SSL_VERSION` environment variable.
To force git to use libcurl's default ssl version and ignore any
diff --git a/http.c b/http.c
index a5bd5d62c..25eb84c11 100644
--- a/http.c
+++ b/http.c
@@ -62,6 +62,9 @@ static struct {
{ "tlsv1.1", CURL_SSLVERSION_TLSv1_1 },
{ "tlsv1.2", CURL_SSLVERSION_TLSv1_2 },
#endif
+#ifdef CURL_SSLVERSION_TLSv1_3
+ { "tlsv1.3", CURL_SSLVERSION_TLSv1_3 }
+#endif
};
#if LIBCURL_VERSION_NUM >= 0x070903
static const char *ssl_key;
--
2.16.2
Re: [PATCH] Allow use of TLS 1.3
On Fri, Mar 23, 2018 at 07:37:08PM +0100, Ævar Arnfjörð Bjarmason wrote:
>
> On Fri, Mar 23 2018, Loganaden Velvindron wrote:
>
> > Done during IETF 101 hackathon
>
> Hi. Thanks. Let's add a meaningful commit message to this though,
> something like:
>
> Add a tlsv1.3 option to http.sslVersion in addition to the existing
> tlsv1.[012] options. libcurl has supported this since 7.52.0.
Looks good to me.
>
> > --- a/http.c
> > +++ b/http.c
> > @@ -61,6 +61,9 @@ static struct {
> > { "tlsv1.0", CURL_SSLVERSION_TLSv1_0 },
> > { "tlsv1.1", CURL_SSLVERSION_TLSv1_1 },
> > { "tlsv1.2", CURL_SSLVERSION_TLSv1_2 },
> > +#if LIBCURL_VERSION_NUM >= 0x075200
> > + { "tlsv1.3", CURL_SSLVERSION_TLSv1_3 }
> > +#endif
>
> I wonder if this wouldn't be better as:
>
> +#ifdef CURL_SSLVERSION_TLSv1_3
> + { "tlsv1.3", CURL_SSLVERSION_TLSv1_3 }
> +#endif
>
> We've been bitten before by doing version checks on libcurl code, only
> to find that some distros are actively backporting features, so checking
> the specific macros is usually better.
This looks good to me as well. I will send Patch v2, with the suggestions.
>
> > #endif
> > };
> > #if LIBCURL_VERSION_NUM >= 0x070903
[PATCH] Allow use of TLS 1.3
Done during IETF 101 hackathon
Signed-off-by: Loganaden Velvindron <lo...@hackers.mu>
---
Documentation/config.txt | 1 +
http.c | 3 +++
2 files changed, 4 insertions(+)
diff --git a/Documentation/config.txt b/Documentation/config.txt
index ce9102cea..f31d62772 100644
--- a/Documentation/config.txt
+++ b/Documentation/config.txt
@@ -1957,6 +1957,7 @@ http.sslVersion::
- tlsv1.0
- tlsv1.1
- tlsv1.2
+ - tlsv1.3
+
Can be overridden by the `GIT_SSL_VERSION` environment variable.
diff --git a/http.c b/http.c
index 8c11156ae..666fe31f3 100644
--- a/http.c
+++ b/http.c
@@ -61,6 +61,9 @@ static struct {
{ "tlsv1.0", CURL_SSLVERSION_TLSv1_0 },
{ "tlsv1.1", CURL_SSLVERSION_TLSv1_1 },
{ "tlsv1.2", CURL_SSLVERSION_TLSv1_2 },
+#if LIBCURL_VERSION_NUM >= 0x075200
+ { "tlsv1.3", CURL_SSLVERSION_TLSv1_3 }
+#endif
#endif
};
#if LIBCURL_VERSION_NUM >= 0x070903
--
2.16.2
