On Thu, 7 Mar 2024, Jeffrey Walton wrote:
I feel like questions like "Allow TLS 1.0 and above or not", "Allow TLS 1.2 or not" or "Require TLS 1.3" are policy decisions that the application authors should make. Businesses and application authors are in the best position to determine their needs. I don't think library authors should make the decision.
That's not what I propose. I propose we drop support for the libraries that do not offer TLS 1.3 for curl (fifteen months into the future).
They could still negotiate older versions.
And I am not sure how other protocols like QUIC intersect with TLS 1.3. It would be unfortunate if QUIC lost functionality due to loss of TLS v1.2. But like I said, I don't know if this is even the case.
QUIC uses TLS 1.3. So by definition, all TLS libraries that support QUIC also support TLS 1.3 and thus would not be affected by my proposal.
-- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
