Re: [PATCH] Allow use of TLS 1.3
Hi, On Fri, 23 Mar 2018, Loganaden Velvindron wrote: > On Fri, Mar 23, 2018 at 07:37:08PM +0100, Ævar Arnfjörð Bjarmason wrote: > > > > On Fri, Mar 23 2018, Loganaden Velvindron wrote: > > > > > Done during IETF 101 hackathon > > > > Hi. Thanks. Let's add a meaningful commit message to this though, > > something like: > > > > Add a tlsv1.3 option to http.sslVersion in addition to the existing > > tlsv1.[012] options. libcurl has supported this since 7.52.0. Can we please also add that OpenSSL 1.1.* is required (or that cURL is built with NSS or BoringSSL as the TLS backend)? Thanks, Johannes
Re: [PATCH] Allow use of TLS 1.3
On Fri, Mar 23, 2018 at 07:37:08PM +0100, Ævar Arnfjörð Bjarmason wrote:
>
> On Fri, Mar 23 2018, Loganaden Velvindron wrote:
>
> > Done during IETF 101 hackathon
>
> Hi. Thanks. Let's add a meaningful commit message to this though,
> something like:
>
> Add a tlsv1.3 option to http.sslVersion in addition to the existing
> tlsv1.[012] options. libcurl has supported this since 7.52.0.
Looks good to me.
>
> > --- a/http.c
> > +++ b/http.c
> > @@ -61,6 +61,9 @@ static struct {
> > { "tlsv1.0", CURL_SSLVERSION_TLSv1_0 },
> > { "tlsv1.1", CURL_SSLVERSION_TLSv1_1 },
> > { "tlsv1.2", CURL_SSLVERSION_TLSv1_2 },
> > +#if LIBCURL_VERSION_NUM >= 0x075200
> > + { "tlsv1.3", CURL_SSLVERSION_TLSv1_3 }
> > +#endif
>
> I wonder if this wouldn't be better as:
>
> +#ifdef CURL_SSLVERSION_TLSv1_3
> + { "tlsv1.3", CURL_SSLVERSION_TLSv1_3 }
> +#endif
>
> We've been bitten before by doing version checks on libcurl code, only
> to find that some distros are actively backporting features, so checking
> the specific macros is usually better.
This looks good to me as well. I will send Patch v2, with the suggestions.
>
> > #endif
> > };
> > #if LIBCURL_VERSION_NUM >= 0x070903
Re: [PATCH] Allow use of TLS 1.3
On Fri, Mar 23 2018, Loganaden Velvindron wrote:
> Done during IETF 101 hackathon
Hi. Thanks. Let's add a meaningful commit message to this though,
something like:
Add a tlsv1.3 option to http.sslVersion in addition to the existing
tlsv1.[012] options. libcurl has supported this since 7.52.0.
> --- a/http.c
> +++ b/http.c
> @@ -61,6 +61,9 @@ static struct {
> { "tlsv1.0", CURL_SSLVERSION_TLSv1_0 },
> { "tlsv1.1", CURL_SSLVERSION_TLSv1_1 },
> { "tlsv1.2", CURL_SSLVERSION_TLSv1_2 },
> +#if LIBCURL_VERSION_NUM >= 0x075200
> + { "tlsv1.3", CURL_SSLVERSION_TLSv1_3 }
> +#endif
I wonder if this wouldn't be better as:
+#ifdef CURL_SSLVERSION_TLSv1_3
+ { "tlsv1.3", CURL_SSLVERSION_TLSv1_3 }
+#endif
We've been bitten before by doing version checks on libcurl code, only
to find that some distros are actively backporting features, so checking
the specific macros is usually better.
> #endif
> };
> #if LIBCURL_VERSION_NUM >= 0x070903
[PATCH] Allow use of TLS 1.3
Done during IETF 101 hackathon
Signed-off-by: Loganaden Velvindron
---
Documentation/config.txt | 1 +
http.c | 3 +++
2 files changed, 4 insertions(+)
diff --git a/Documentation/config.txt b/Documentation/config.txt
index ce9102cea..f31d62772 100644
--- a/Documentation/config.txt
+++ b/Documentation/config.txt
@@ -1957,6 +1957,7 @@ http.sslVersion::
- tlsv1.0
- tlsv1.1
- tlsv1.2
+ - tlsv1.3
+
Can be overridden by the `GIT_SSL_VERSION` environment variable.
diff --git a/http.c b/http.c
index 8c11156ae..666fe31f3 100644
--- a/http.c
+++ b/http.c
@@ -61,6 +61,9 @@ static struct {
{ "tlsv1.0", CURL_SSLVERSION_TLSv1_0 },
{ "tlsv1.1", CURL_SSLVERSION_TLSv1_1 },
{ "tlsv1.2", CURL_SSLVERSION_TLSv1_2 },
+#if LIBCURL_VERSION_NUM >= 0x075200
+ { "tlsv1.3", CURL_SSLVERSION_TLSv1_3 }
+#endif
#endif
};
#if LIBCURL_VERSION_NUM >= 0x070903
--
2.16.2
