* [PATCH v2] Allow use of TLS 1.3 @ 2018-03-23 19:34 Loganaden Velvindron 2018-03-23 21:47 ` Daniel Stenberg 2018-03-23 21:55 ` Junio C Hamano 0 siblings, 2 replies; 10+ messages in thread From: Loganaden Velvindron @ 2018-03-23 19:34 UTC (permalink / raw) To: git Add a tlsv1.3 option to http.sslVersion in addition to the existing tlsv1.[012] options. libcurl has supported this since 7.52.0. Done during IETF 101 Hackathon Signed-off-by: Loganaden Velvindron <logan@hackers.mu> --- Documentation/config.txt | 2 +- http.c | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/Documentation/config.txt b/Documentation/config.txt index ce9102cea..b18cb9104 100644 --- a/Documentation/config.txt +++ b/Documentation/config.txt @@ -1957,7 +1957,7 @@ http.sslVersion:: - tlsv1.0 - tlsv1.1 - tlsv1.2 - + - tlsv1.3 + Can be overridden by the `GIT_SSL_VERSION` environment variable. To force git to use libcurl's default ssl version and ignore any diff --git a/http.c b/http.c index a5bd5d62c..25eb84c11 100644 --- a/http.c +++ b/http.c @@ -62,6 +62,9 @@ static struct { { "tlsv1.1", CURL_SSLVERSION_TLSv1_1 }, { "tlsv1.2", CURL_SSLVERSION_TLSv1_2 }, #endif +#ifdef CURL_SSLVERSION_TLSv1_3 + { "tlsv1.3", CURL_SSLVERSION_TLSv1_3 } +#endif }; #if LIBCURL_VERSION_NUM >= 0x070903 static const char *ssl_key; -- 2.16.2 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH v2] Allow use of TLS 1.3 2018-03-23 19:34 [PATCH v2] Allow use of TLS 1.3 Loganaden Velvindron @ 2018-03-23 21:47 ` Daniel Stenberg 2018-03-23 22:04 ` Junio C Hamano ` (3 more replies) 2018-03-23 21:55 ` Junio C Hamano 1 sibling, 4 replies; 10+ messages in thread From: Daniel Stenberg @ 2018-03-23 21:47 UTC (permalink / raw) To: Loganaden Velvindron; +Cc: git On Fri, 23 Mar 2018, Loganaden Velvindron wrote: > +#ifdef CURL_SSLVERSION_TLSv1_3 > + { "tlsv1.3", CURL_SSLVERSION_TLSv1_3 } > +#endif Unfortunately, CURL_SSLVERSION_TLSv1_3 is an enum so this construct won't work. Also, let me just point out that 7.52.0 is 0x073400 in hex and not the one used for the first version of this patch. -- / daniel.haxx.se ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH v2] Allow use of TLS 1.3 2018-03-23 21:47 ` Daniel Stenberg @ 2018-03-23 22:04 ` Junio C Hamano 2018-03-24 7:52 ` Loganaden Velvindron 2018-03-24 4:21 ` Loganaden Velvindron ` (2 subsequent siblings) 3 siblings, 1 reply; 10+ messages in thread From: Junio C Hamano @ 2018-03-23 22:04 UTC (permalink / raw) To: Daniel Stenberg; +Cc: Loganaden Velvindron, git Daniel Stenberg <daniel@haxx.se> writes: > On Fri, 23 Mar 2018, Loganaden Velvindron wrote: > >> +#ifdef CURL_SSLVERSION_TLSv1_3 >> + { "tlsv1.3", CURL_SSLVERSION_TLSv1_3 } >> +#endif > > Unfortunately, CURL_SSLVERSION_TLSv1_3 is an enum so this construct > won't work. > > Also, let me just point out that 7.52.0 is 0x073400 in hex and not the > one used for the first version of this patch. Thanks! ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH v2] Allow use of TLS 1.3 2018-03-23 22:04 ` Junio C Hamano @ 2018-03-24 7:52 ` Loganaden Velvindron 0 siblings, 0 replies; 10+ messages in thread From: Loganaden Velvindron @ 2018-03-24 7:52 UTC (permalink / raw) To: Junio C Hamano; +Cc: Daniel Stenberg, git On Sat, Mar 24, 2018 at 2:04 AM, Junio C Hamano <gitster@pobox.com> wrote: > Daniel Stenberg <daniel@haxx.se> writes: > >> On Fri, 23 Mar 2018, Loganaden Velvindron wrote: >> >>> +#ifdef CURL_SSLVERSION_TLSv1_3 >>> + { "tlsv1.3", CURL_SSLVERSION_TLSv1_3 } >>> +#endif >> >> Unfortunately, CURL_SSLVERSION_TLSv1_3 is an enum so this construct >> won't work. >> >> Also, let me just point out that 7.52.0 is 0x073400 in hex and not the >> one used for the first version of this patch. > It's working with tls 1.3: ldd for curl (showing linking to openssl 1.1.1 pre2 preview): ldd /usr/local/bin/curl linux-vdso.so.1 (0x00007ffd30599000) libcurl.so.4 => /usr/local/lib/libcurl.so.4 (0x00007f5a81845000) libssl.so.1.1 => /usr/local/lib/libssl.so.1.1 (0x00007f5a815b5000) libcrypto.so.1.1 => /usr/local/lib/libcrypto.so.1.1 (0x00007f5a810dd000) libz.so.1 => /usr/lib/libz.so.1 (0x00007f5a80ec6000) libpthread.so.0 => /usr/lib/libpthread.so.0 (0x00007f5a80ca7000) libc.so.6 => /usr/lib/libc.so.6 (0x00007f5a808f2000) libnghttp2.so.14 => /usr/lib/libnghttp2.so.14 (0x00007f5a806cd000) libdl.so.2 => /usr/lib/libdl.so.2 (0x00007f5a804c9000) /lib/ld-linux-x86-64.so.2 (0x00007f5a81ce5000) handshake failure against a tls 1.2 server: GIT_SSL_VERSION=tlsv1.3 ./git clone https://github.com/shuque/pydig Cloning into 'pydig'... warning: templates not found /usr/local/share/git-core/templates fatal: unable to access 'https://github.com/shuque/pydig/': error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure With a local server running nginx using only tls 1.3 (had to disable ssl verification due to self-signed cert): GIT_SSL_NO_VERIFY=true GIT_SSL_VERSION=tlsv1.2 ./git clone https://192.168.1.214/git_test error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version Now with TLS 1.3, it works: GIT_SSL_NO_VERIFY=true GIT_SSL_VERSION=tlsv1.3 ./git clone https://192.168.1.214/git_test > Thanks! ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH v2] Allow use of TLS 1.3 2018-03-23 21:47 ` Daniel Stenberg 2018-03-23 22:04 ` Junio C Hamano @ 2018-03-24 4:21 ` Loganaden Velvindron 2018-03-24 4:31 ` Loganaden Velvindron 2018-03-24 5:43 ` Loganaden Velvindron 3 siblings, 0 replies; 10+ messages in thread From: Loganaden Velvindron @ 2018-03-24 4:21 UTC (permalink / raw) To: Daniel Stenberg; +Cc: git On Sat, Mar 24, 2018 at 1:47 AM, Daniel Stenberg <daniel@haxx.se> wrote: > On Fri, 23 Mar 2018, Loganaden Velvindron wrote: > >> +#ifdef CURL_SSLVERSION_TLSv1_3 >> + { "tlsv1.3", CURL_SSLVERSION_TLSv1_3 } >> +#endif > > > Unfortunately, CURL_SSLVERSION_TLSv1_3 is an enum so this construct won't > work. > > Also, let me just point out that 7.52.0 is 0x073400 in hex and not the one > used for the first version of this patch. > Thanks, will fix it. > -- > > / daniel.haxx.se ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH v2] Allow use of TLS 1.3 2018-03-23 21:47 ` Daniel Stenberg 2018-03-23 22:04 ` Junio C Hamano 2018-03-24 4:21 ` Loganaden Velvindron @ 2018-03-24 4:31 ` Loganaden Velvindron 2018-03-24 5:43 ` Loganaden Velvindron 3 siblings, 0 replies; 10+ messages in thread From: Loganaden Velvindron @ 2018-03-24 4:31 UTC (permalink / raw) To: Daniel Stenberg; +Cc: git On Sat, Mar 24, 2018 at 1:47 AM, Daniel Stenberg <daniel@haxx.se> wrote: > On Fri, 23 Mar 2018, Loganaden Velvindron wrote: > >> +#ifdef CURL_SSLVERSION_TLSv1_3 >> + { "tlsv1.3", CURL_SSLVERSION_TLSv1_3 } >> +#endif > > > Unfortunately, CURL_SSLVERSION_TLSv1_3 is an enum so this construct won't > work. > > Also, let me just point out that 7.52.0 is 0x073400 in hex and not the one > used for the first version of this patch. > Yeah, v1 patch is broken. I'm sending a v3 patch which is properly tested with OpenSSL preview alpha. > -- > > / daniel.haxx.se ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH v2] Allow use of TLS 1.3 2018-03-23 21:47 ` Daniel Stenberg ` (2 preceding siblings ...) 2018-03-24 4:31 ` Loganaden Velvindron @ 2018-03-24 5:43 ` Loganaden Velvindron 3 siblings, 0 replies; 10+ messages in thread From: Loganaden Velvindron @ 2018-03-24 5:43 UTC (permalink / raw) To: Daniel Stenberg; +Cc: git On Sat, Mar 24, 2018 at 1:47 AM, Daniel Stenberg <daniel@haxx.se> wrote: > On Fri, 23 Mar 2018, Loganaden Velvindron wrote: > >> +#ifdef CURL_SSLVERSION_TLSv1_3 >> + { "tlsv1.3", CURL_SSLVERSION_TLSv1_3 } >> +#endif > > > Unfortunately, CURL_SSLVERSION_TLSv1_3 is an enum so this construct won't > work. > > Also, let me just point out that 7.52.0 is 0x073400 in hex and not the one > used for the first version of this patch. > Here's the error i get when I use a recent libcurl, but the OpenSSL wasn't built with tls 1.3: using : GIT_SSL_VERSION=tlsv1.3 Error: OpenSSL was built without TLS 1.3 support > -- > > / daniel.haxx.se ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH v2] Allow use of TLS 1.3 2018-03-23 19:34 [PATCH v2] Allow use of TLS 1.3 Loganaden Velvindron 2018-03-23 21:47 ` Daniel Stenberg @ 2018-03-23 21:55 ` Junio C Hamano 2018-03-23 22:28 ` Ævar Arnfjörð Bjarmason 2018-03-24 4:23 ` Loganaden Velvindron 1 sibling, 2 replies; 10+ messages in thread From: Junio C Hamano @ 2018-03-23 21:55 UTC (permalink / raw) To: Loganaden Velvindron; +Cc: git, Ævar Arnfjörð Bjarmason Loganaden Velvindron <logan@hackers.mu> writes: > Subject: Re: [PATCH v2] Allow use of TLS 1.3 Let's retitle it to something like Subject: [PATCH v2] http: allow use of TLS 1.3 > Add a tlsv1.3 option to http.sslVersion in addition to the existing > tlsv1.[012] options. libcurl has supported this since 7.52.0. Good. > > Done during IETF 101 Hackathon I am on the fence wrt the value of this line, especially because I would strongly suspect that this version is not what you wrote and tested during your Hackathon. Even if it were, would it give value to future "git log" readers by supplying extra context? > Signed-off-by: Loganaden Velvindron <logan@hackers.mu> > --- > Documentation/config.txt | 2 +- > http.c | 3 +++ > 2 files changed, 4 insertions(+), 1 deletion(-) > > diff --git a/Documentation/config.txt b/Documentation/config.txt > index ce9102cea..b18cb9104 100644 > --- a/Documentation/config.txt > +++ b/Documentation/config.txt > @@ -1957,7 +1957,7 @@ http.sslVersion:: > - tlsv1.0 > - tlsv1.1 > - tlsv1.2 > - > + - tlsv1.3 > + Before this change, the block that shows the list of versions had one blank line before and after it. Now we lost the blank line after the block. Is it intended? Possibilities that come to my mind as a reviewer are: A. There is no difference in the rendered output if we have zero blank line (i.e. with the patch), or one blank line (i.e. before the patch applied). A.1) the submitter made this change on purpose, because it will make the source shorter without affecting the output, as a "clean-up while at it" change. A.2) this was an accidental change, which did not break the output merely because the submitter was lucky. B. The rendered output changes due to the lack of the blank line. B.1) And it changes in a good way. The submitter made this change on purpose. B.2) And it changes in a bad way, but the submitter did not notice it. Please do not make reviewers wonder. Either avoid making unnecessary changes (e.g. you could have just added a new line with tlsv1.3 on it without touching the blank line), or make the change and explain why you made that change that is not essential for the purpose of adding tls1.3 which is the main focus of this patch. > Can be overridden by the `GIT_SSL_VERSION` environment variable. > To force git to use libcurl's default ssl version and ignore any > diff --git a/http.c b/http.c > index a5bd5d62c..25eb84c11 100644 > --- a/http.c > +++ b/http.c > @@ -62,6 +62,9 @@ static struct { > { "tlsv1.1", CURL_SSLVERSION_TLSv1_1 }, > { "tlsv1.2", CURL_SSLVERSION_TLSv1_2 }, > #endif > +#ifdef CURL_SSLVERSION_TLSv1_3 > + { "tlsv1.3", CURL_SSLVERSION_TLSv1_3 } > +#endif > }; It seems to me that https://github.com/curl/curl/blob/master/include/curl/curl.h#L1956 tells me that this #ifdef would not work. Did you test it with the "test not version but feature" change you made at the last minute? I know it is not your fault but is Ævar's, but you're responsible for double-checking what you are told on the internet ;-) Thanks. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH v2] Allow use of TLS 1.3 2018-03-23 21:55 ` Junio C Hamano @ 2018-03-23 22:28 ` Ævar Arnfjörð Bjarmason 2018-03-24 4:23 ` Loganaden Velvindron 1 sibling, 0 replies; 10+ messages in thread From: Ævar Arnfjörð Bjarmason @ 2018-03-23 22:28 UTC (permalink / raw) To: Junio C Hamano; +Cc: Loganaden Velvindron, git, Daniel Stenberg On Fri, Mar 23 2018, Junio C. Hamano wrote: >> @@ -62,6 +62,9 @@ static struct { >> { "tlsv1.1", CURL_SSLVERSION_TLSv1_1 }, >> { "tlsv1.2", CURL_SSLVERSION_TLSv1_2 }, >> #endif >> +#ifdef CURL_SSLVERSION_TLSv1_3 >> + { "tlsv1.3", CURL_SSLVERSION_TLSv1_3 } >> +#endif >> }; > > It seems to me that > > https://github.com/curl/curl/blob/master/include/curl/curl.h#L1956 > > tells me that this #ifdef would not work. Did you test it with the > "test not version but feature" change you made at the last minute? > > I know it is not your fault but is Ævar's, but you're responsible > for double-checking what you are told on the internet ;-) Yeah I should add some "I haven't actually tried this, but what do you think about this?" disclaimer. But it's not a good sign that we have a v2 with an ifdef that'll never be true, indicating that it wasn't tested against TLSv1.3. Is there some way we could check for this in our test suite? ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH v2] Allow use of TLS 1.3 2018-03-23 21:55 ` Junio C Hamano 2018-03-23 22:28 ` Ævar Arnfjörð Bjarmason @ 2018-03-24 4:23 ` Loganaden Velvindron 1 sibling, 0 replies; 10+ messages in thread From: Loganaden Velvindron @ 2018-03-24 4:23 UTC (permalink / raw) To: Junio C Hamano; +Cc: git, Ævar Arnfjörð Bjarmason On Sat, Mar 24, 2018 at 1:55 AM, Junio C Hamano <gitster@pobox.com> wrote: > Loganaden Velvindron <logan@hackers.mu> writes: > >> Subject: Re: [PATCH v2] Allow use of TLS 1.3 > > Let's retitle it to something like > > Subject: [PATCH v2] http: allow use of TLS 1.3 > >> Add a tlsv1.3 option to http.sslVersion in addition to the existing >> tlsv1.[012] options. libcurl has supported this since 7.52.0. > > Good. > >> >> Done during IETF 101 Hackathon > > I am on the fence wrt the value of this line, especially because I > would strongly suspect that this version is not what you wrote and > tested during your Hackathon. Even if it were, would it give value > to future "git log" readers by supplying extra context? > Will remove this line. >> Signed-off-by: Loganaden Velvindron <logan@hackers.mu> >> --- >> Documentation/config.txt | 2 +- >> http.c | 3 +++ >> 2 files changed, 4 insertions(+), 1 deletion(-) >> >> diff --git a/Documentation/config.txt b/Documentation/config.txt >> index ce9102cea..b18cb9104 100644 >> --- a/Documentation/config.txt >> +++ b/Documentation/config.txt >> @@ -1957,7 +1957,7 @@ http.sslVersion:: >> - tlsv1.0 >> - tlsv1.1 >> - tlsv1.2 >> - >> + - tlsv1.3 >> + > > Before this change, the block that shows the list of versions had > one blank line before and after it. Now we lost the blank line > after the block. Is it intended? Possibilities that come to my > mind as a reviewer are: > > A. There is no difference in the rendered output if we have zero > blank line (i.e. with the patch), or one blank line (i.e. before > the patch applied). > > A.1) the submitter made this change on purpose, because it will > make the source shorter without affecting the output, as a > "clean-up while at it" change. > > A.2) this was an accidental change, which did not break the > output merely because the submitter was lucky. > > B. The rendered output changes due to the lack of the blank line. > > B.1) And it changes in a good way. The submitter made this > change on purpose. > > B.2) And it changes in a bad way, but the submitter did not > notice it. > > Please do not make reviewers wonder. Either avoid making > unnecessary changes (e.g. you could have just added a new line with > tlsv1.3 on it without touching the blank line), or make the change > and explain why you made that change that is not essential for the > purpose of adding tls1.3 which is the main focus of this patch. Alright. > >> Can be overridden by the `GIT_SSL_VERSION` environment variable. >> To force git to use libcurl's default ssl version and ignore any >> diff --git a/http.c b/http.c >> index a5bd5d62c..25eb84c11 100644 >> --- a/http.c >> +++ b/http.c >> @@ -62,6 +62,9 @@ static struct { >> { "tlsv1.1", CURL_SSLVERSION_TLSv1_1 }, >> { "tlsv1.2", CURL_SSLVERSION_TLSv1_2 }, >> #endif >> +#ifdef CURL_SSLVERSION_TLSv1_3 >> + { "tlsv1.3", CURL_SSLVERSION_TLSv1_3 } >> +#endif >> }; > > It seems to me that > > https://github.com/curl/curl/blob/master/include/curl/curl.h#L1956 > > tells me that this #ifdef would not work. Did you test it with the > "test not version but feature" change you made at the last minute? I compiled it. > > I know it is not your fault but is Ævar's, but you're responsible > for double-checking what you are told on the internet ;-) Yes, my fault, not Ævar Arnfjörð Bjarmason . > > Thanks. ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2018-03-24 7:53 UTC | newest] Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2018-03-23 19:34 [PATCH v2] Allow use of TLS 1.3 Loganaden Velvindron 2018-03-23 21:47 ` Daniel Stenberg 2018-03-23 22:04 ` Junio C Hamano 2018-03-24 7:52 ` Loganaden Velvindron 2018-03-24 4:21 ` Loganaden Velvindron 2018-03-24 4:31 ` Loganaden Velvindron 2018-03-24 5:43 ` Loganaden Velvindron 2018-03-23 21:55 ` Junio C Hamano 2018-03-23 22:28 ` Ævar Arnfjörð Bjarmason 2018-03-24 4:23 ` Loganaden Velvindron
Code repositories for project(s) associated with this public inbox https://80x24.org/mirrors/git.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).