Hello.
TLS 1.3 does not work with Secure Transport as noted in Apple's
documentation (Ref.1). Are there any plans to transition SSL support for
macOS from Secure Transport to Network Framework?
"TLS clients using the SecureTransport APIs can’t use TLS 1.3."
I verified Apple's assertion by building curl with Secure Transport
locally and attempted a TLS 1.3 connection which resulted in a TLS 1.2
connection. See the attached tls-test-output.txt and tls-test-trace.txt
files.
I put the execution under a debugger and verified that the call to
SSLSetProtocolVersionMax is failing with a -9830 error
(errSSLIllegalParam). And, looking at the code (Ref.2) for
SSLSetProtocolVersionMax, you can see that it returns errSSLIllegalParam
because the requested version is greater than MAXIMUM_STREAM_VERSION
which is set to TLS_Version_1_2.
There are Federal requirements to support TLS 1.3 by January of 2024
(Ref.3):
"This Special Publication provides guidance to the selection and
configuration of TLS protocol implementations while making effective use
of Federal
Information Processing Standards (FIPS) and NIST-recommended
cryptographic algorithms. It
requires that TLS 1.2 configured with FIPS-based cipher suites be
supported by all government
TLS servers and clients and requires support for TLS 1.3 by January 1,
2024."
References:
1 - https://support.apple.com/guide/security/tls-security-sec100a75d12/web
2 -
https://opensource.apple.com/source/Security/Security-59754.80.3/OSX/libsecurity_ssl/lib/sslContext.c.auto.html
3 -
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf
user@host curl-8.2.0 % ./src/curl --trace tls-test-trace.txt --tlsv1.3
--tls-max 1.3 https://google.com
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/";>here</A>.
</BODY></HTML>
== Info: !!! WARNING !!!
== Info: This is a debug build of libcurl, do not use in production.
== Info: processing: https://google.com
== Info: STATE: INIT => CONNECT handle 0x7fc03280a808; line 1962
== Info: Added connection 0. The cache now contains 1 members
== Info: STATE: CONNECT => RESOLVING handle 0x7fc03280a808; line 2005
== Info: STATE: RESOLVING => CONNECTING handle 0x7fc03280a808; line 2079
== Info: Trying [2607:f8b0:4005:802::200e]:443...
== Info: Connected to google.com (2607:f8b0:4005:802::200e) port 443
== Info: ALPN: offers http/1.1
== Info: Didn't find Session ID in cache for host HTTPS://google.com:443
== Info: Added Session ID to cache for HTTPS://google.com:443 [server]
== Info: TLS 1.2 connection using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
== Info: Server certificate: *.google.com
== Info: Server certificate: GTS CA 1C3
== Info: Server certificate: GTS Root R1
== Info: using HTTP/1.1
== Info: STATE: CONNECTING => PROTOCONNECT handle 0x7fc03280a808; line 2123
== Info: STATE: PROTOCONNECT => DO handle 0x7fc03280a808; line 2153
=> Send header, 73 bytes (0x49)
0000: 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a GET / HTTP/1.1..
0010: 48 6f 73 74 3a 20 67 6f 6f 67 6c 65 2e 63 6f 6d Host: google.com
0020: 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 63 75 ..User-Agent: cu
0030: 72 6c 2f 38 2e 32 2e 30 0d 0a 41 63 63 65 70 74 rl/8.2.0..Accept
0040: 3a 20 2a 2f 2a 0d 0a 0d 0a : */*....
== Info: STATE: DO => DID handle 0x7fc03280a808; line 2247
== Info: STATE: DID => PERFORMING handle 0x7fc03280a808; line 2365
== Info: HTTP 1.1 or later with persistent connection
<= Recv header, 32 bytes (0x20)
0000: 48 54 54 50 2f 31 2e 31 20 33 30 31 20 4d 6f 76 HTTP/1.1 301 Mov
0010: 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a ed Permanently..
<= Recv header, 35 bytes (0x23)
0000: 4c 6f 63 61 74 69 6f 6e 3a 20 68 74 74 70 73 3a Location: https:
0010: 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d //www.google.com
0020: 2f 0d 0a /..
<= Recv header, 40 bytes (0x28)
0000: 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 Content-Type: te
0010: 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 xt/html; charset
0020: 3d 55 54 46 2d 38 0d 0a =UTF-8..
<= Recv header, 245 bytes (0xf5)
0000: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 Content-Security
0010: 2d 50 6f 6c 69 63 79 2d 52 65 70 6f 72 74 2d 4f -Policy-Report-O
0020: 6e 6c 79 3a 20 6f 62 6a 65 63 74 2d 73 72 63 20 nly: object-src
0030: 27 6e 6f 6e 65 27 3b 62 61 73 65 2d 75 72 69 20 'none';base-uri
0040: 27 73 65 6c 66 27 3b 73 63 72 69 70 74 2d 73 72 'self';script-sr
0050: 63 20 27 6e 6f 6e 63 65 2d 64 33 55 68 68 76 2d c 'nonce-d3Uhhv-
0060: 35 32 7a 54 64 61 7a 59 67 46 4b 33 64 67 41 27 52zTdazYgFK3dgA'
0070: 20 27 73 74 72 69 63 74 2d 64 79 6e 61 6d 69 63 'strict-dynamic
0080: 27 20 27 72 65 70 6f 72 74 2d 73 61 6d 70 6c 65 ' 'report-sample
0090: 27 20 27 75 6e 73 61 66 65 2d 65 76 61 6c 27 20 ' 'unsafe-eval'
00a0: 27 75 6e 73 61 66 65 2d 69 6e 6c 69 6e 65 27 20 'unsafe-inline'
00b0: 68 74 74 70 73 3a 20 68 74 74 70 3a 3b 72 65 70 https: http:;rep
00c0: 6f 72 74 2d 75 72 69 20 68 74 74 70 73 3a 2f 2f ort-uri https://
00d0: 63 73 70 2e 77 69 74 68 67 6f 6f 67 6c 65 2e 63 csp.withgoogle.c
00e0: 6f 6d 2f 63 73 70 2f 67 77 73 2f 6f 74 68 65 72 om/csp/gws/other
00f0: 2d 68 70 0d 0a -hp..
<= Recv header, 37 bytes (0x25)
0000: 44 61 74 65 3a 20 54 75 65 2c 20 32 35 20 4a 75 Date: Tue, 25 Ju
0010: 6c 20 32 30 32 33 20 31 34 3a 31 34 3a 34 34 20 l 2023 14:14:44
0020: 47 4d 54 0d 0a GMT..
<= Recv header, 40 bytes (0x28)
0000: 45 78 70 69 72 65 73 3a 20 54 68 75 2c 20 32 34 Expires: Thu, 24
0010: 20 41 75 67 20 32 30 32 33 20 31 34 3a 31 34 3a Aug 2023 14:14:
0020: 34 34 20 47 4d 54 0d 0a 44 GMT..
<= Recv header, 40 bytes (0x28)
0000: 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 70 Cache-Control: p
0010: 75 62 6c 69 63 2c 20 6d 61 78 2d 61 67 65 3d 32 ublic, max-age=2
0020: 35 39 32 30 30 30 0d 0a 592000..
<= Recv header, 13 bytes (0xd)
0000: 53 65 72 76 65 72 3a 20 67 77 73 0d 0a Server: gws..
<= Recv header, 21 bytes (0x15)
0000: 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 Content-Length:
0010: 32 32 30 0d 0a 220..
<= Recv header, 21 bytes (0x15)
0000: 58 2d 58 53 53 2d 50 72 6f 74 65 63 74 69 6f 6e X-XSS-Protection
0010: 3a 20 30 0d 0a : 0..
<= Recv header, 29 bytes (0x1d)
0000: 58 2d 46 72 61 6d 65 2d 4f 70 74 69 6f 6e 73 3a X-Frame-Options:
0010: 20 53 41 4d 45 4f 52 49 47 49 4e 0d 0a SAMEORIGIN..
<= Recv header, 57 bytes (0x39)
0000: 41 6c 74 2d 53 76 63 3a 20 68 33 3d 22 3a 34 34 Alt-Svc: h3=":44
0010: 33 22 3b 20 6d 61 3d 32 35 39 32 30 30 30 2c 68 3"; ma=2592000,h
0020: 33 2d 32 39 3d 22 3a 34 34 33 22 3b 20 6d 61 3d 3-29=":443"; ma=
0030: 32 35 39 32 30 30 30 0d 0a 2592000..
<= Recv header, 2 bytes (0x2)
0000: 0d 0a ..
<= Recv data, 220 bytes (0xdc)
0000: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 <HTML><HEAD><met
0010: 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f a http-equiv="co
0020: 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 ntent-type" cont
0030: 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 ent="text/html;c
0040: 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c harset=utf-8">.<
0050: 54 49 54 4c 45 3e 33 30 31 20 4d 6f 76 65 64 3c TITLE>301 Moved<
0060: 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 /TITLE></HEAD><B
0070: 4f 44 59 3e 0a 3c 48 31 3e 33 30 31 20 4d 6f 76 ODY>.<H1>301 Mov
0080: 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 ed</H1>.The docu
0090: 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c ment has moved.<
00a0: 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f A HREF="https://
00b0: 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 22 www.google.com/"
00c0: 3e 68 65 72 65 3c 2f 41 3e 2e 0d 0a 3c 2f 42 4f >here</A>...</BO
00d0: 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a DY></HTML>..
== Info: STATE: PERFORMING => DONE handle 0x7fc03280a808; line 2564
== Info: multi_done: status: 0 prem: 0 done: 0
== Info: Connection #0 to host google.com left intact
--
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
