Re: [PATCH] Allow use of TLS 1.3
Hi, On Fri, 23 Mar 2018, Loganaden Velvindron wrote: > On Fri, Mar 23, 2018 at 07:37:08PM +0100, Ævar Arnfjörð Bjarmason wrote: > > > > On Fri, Mar 23 2018, Loganaden Velvindron wrote: > > > > > Done during IETF 101 hackathon > > > > Hi. Thanks. Let's add a meaningful commit message to this though, > > something like: > > > > Add a tlsv1.3 option to http.sslVersion in addition to the existing > > tlsv1.[012] options. libcurl has supported this since 7.52.0. Can we please also add that OpenSSL 1.1.* is required (or that cURL is built with NSS or BoringSSL as the TLS backend)? Thanks, Johannes
Re: [PATCH] Allow use of TLS 1.3
On Fri, Mar 23, 2018 at 07:37:08PM +0100, Ævar Arnfjörð Bjarmason wrote: > > On Fri, Mar 23 2018, Loganaden Velvindron wrote: > > > Done during IETF 101 hackathon > > Hi. Thanks. Let's add a meaningful commit message to this though, > something like: > > Add a tlsv1.3 option to http.sslVersion in addition to the existing > tlsv1.[012] options. libcurl has supported this since 7.52.0. Looks good to me. > > > --- a/http.c > > +++ b/http.c > > @@ -61,6 +61,9 @@ static struct { > > { "tlsv1.0", CURL_SSLVERSION_TLSv1_0 }, > > { "tlsv1.1", CURL_SSLVERSION_TLSv1_1 }, > > { "tlsv1.2", CURL_SSLVERSION_TLSv1_2 }, > > +#if LIBCURL_VERSION_NUM >= 0x075200 > > + { "tlsv1.3", CURL_SSLVERSION_TLSv1_3 } > > +#endif > > I wonder if this wouldn't be better as: > > +#ifdef CURL_SSLVERSION_TLSv1_3 > + { "tlsv1.3", CURL_SSLVERSION_TLSv1_3 } > +#endif > > We've been bitten before by doing version checks on libcurl code, only > to find that some distros are actively backporting features, so checking > the specific macros is usually better. This looks good to me as well. I will send Patch v2, with the suggestions. > > > #endif > > }; > > #if LIBCURL_VERSION_NUM >= 0x070903
Re: [PATCH] Allow use of TLS 1.3
On Fri, Mar 23 2018, Loganaden Velvindron wrote: > Done during IETF 101 hackathon Hi. Thanks. Let's add a meaningful commit message to this though, something like: Add a tlsv1.3 option to http.sslVersion in addition to the existing tlsv1.[012] options. libcurl has supported this since 7.52.0. > --- a/http.c > +++ b/http.c > @@ -61,6 +61,9 @@ static struct { > { "tlsv1.0", CURL_SSLVERSION_TLSv1_0 }, > { "tlsv1.1", CURL_SSLVERSION_TLSv1_1 }, > { "tlsv1.2", CURL_SSLVERSION_TLSv1_2 }, > +#if LIBCURL_VERSION_NUM >= 0x075200 > + { "tlsv1.3", CURL_SSLVERSION_TLSv1_3 } > +#endif I wonder if this wouldn't be better as: +#ifdef CURL_SSLVERSION_TLSv1_3 + { "tlsv1.3", CURL_SSLVERSION_TLSv1_3 } +#endif We've been bitten before by doing version checks on libcurl code, only to find that some distros are actively backporting features, so checking the specific macros is usually better. > #endif > }; > #if LIBCURL_VERSION_NUM >= 0x070903
[PATCH] Allow use of TLS 1.3
Done during IETF 101 hackathon Signed-off-by: Loganaden Velvindron --- Documentation/config.txt | 1 + http.c | 3 +++ 2 files changed, 4 insertions(+) diff --git a/Documentation/config.txt b/Documentation/config.txt index ce9102cea..f31d62772 100644 --- a/Documentation/config.txt +++ b/Documentation/config.txt @@ -1957,6 +1957,7 @@ http.sslVersion:: - tlsv1.0 - tlsv1.1 - tlsv1.2 + - tlsv1.3 + Can be overridden by the `GIT_SSL_VERSION` environment variable. diff --git a/http.c b/http.c index 8c11156ae..666fe31f3 100644 --- a/http.c +++ b/http.c @@ -61,6 +61,9 @@ static struct { { "tlsv1.0", CURL_SSLVERSION_TLSv1_0 }, { "tlsv1.1", CURL_SSLVERSION_TLSv1_1 }, { "tlsv1.2", CURL_SSLVERSION_TLSv1_2 }, +#if LIBCURL_VERSION_NUM >= 0x075200 + { "tlsv1.3", CURL_SSLVERSION_TLSv1_3 } +#endif #endif }; #if LIBCURL_VERSION_NUM >= 0x070903 -- 2.16.2