[PATCH] Allow use of TLS 1.3

[PATCH] Allow use of TLS 1.3

[Loganaden Velvindron]

Done during IETF 101 hackathon

Signed-off-by: Loganaden Velvindron <logan@hackers.mu>
---
 Documentation/config.txt | 1 +
 http.c                   | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/Documentation/config.txt b/Documentation/config.txt
index ce9102cea..f31d62772 100644
--- a/Documentation/config.txt
+++ b/Documentation/config.txt
@@ -1957,6 +1957,7 @@ http.sslVersion::
 	- tlsv1.0
 	- tlsv1.1
 	- tlsv1.2
+	- tlsv1.3
 
 +
 Can be overridden by the `GIT_SSL_VERSION` environment variable.
diff --git a/http.c b/http.c
index 8c11156ae..666fe31f3 100644
--- a/http.c
+++ b/http.c
@@ -61,6 +61,9 @@ static struct {
 	{ "tlsv1.0", CURL_SSLVERSION_TLSv1_0 },
 	{ "tlsv1.1", CURL_SSLVERSION_TLSv1_1 },
 	{ "tlsv1.2", CURL_SSLVERSION_TLSv1_2 },
+#if LIBCURL_VERSION_NUM >= 0x075200
+	{ "tlsv1.3", CURL_SSLVERSION_TLSv1_3 }
+#endif
 #endif
 };
 #if LIBCURL_VERSION_NUM >= 0x070903
-- 
2.16.2

Re: [PATCH] Allow use of TLS 1.3

[Ævar Arnfjörð Bjarmason]

On Fri, Mar 23 2018, Loganaden Velvindron wrote:

> Done during IETF 101 hackathon

Hi. Thanks. Let's add a meaningful commit message to this though,
something like:

    Add a tlsv1.3 option to http.sslVersion in addition to the existing
    tlsv1.[012] options. libcurl has supported this since 7.52.0.

> --- a/http.c
> +++ b/http.c
> @@ -61,6 +61,9 @@ static struct {
>  	{ "tlsv1.0", CURL_SSLVERSION_TLSv1_0 },
>  	{ "tlsv1.1", CURL_SSLVERSION_TLSv1_1 },
>  	{ "tlsv1.2", CURL_SSLVERSION_TLSv1_2 },
> +#if LIBCURL_VERSION_NUM >= 0x075200
> +	{ "tlsv1.3", CURL_SSLVERSION_TLSv1_3 }
> +#endif

I wonder if this wouldn't be better as:

    +#ifdef CURL_SSLVERSION_TLSv1_3
    +	{ "tlsv1.3", CURL_SSLVERSION_TLSv1_3 }
    +#endif

We've been bitten before by doing version checks on libcurl code, only
to find that some distros are actively backporting features, so checking
the specific macros is usually better.

>  #endif
>  };
>  #if LIBCURL_VERSION_NUM >= 0x070903

Re: [PATCH] Allow use of TLS 1.3

[Loganaden Velvindron]

On Fri, Mar 23, 2018 at 07:37:08PM +0100, Ævar Arnfjörð Bjarmason wrote:
> 
> On Fri, Mar 23 2018, Loganaden Velvindron wrote:
> 
> > Done during IETF 101 hackathon
> 
> Hi. Thanks. Let's add a meaningful commit message to this though,
> something like:
> 
>     Add a tlsv1.3 option to http.sslVersion in addition to the existing
>     tlsv1.[012] options. libcurl has supported this since 7.52.0.

Looks good to me.

> 
> > --- a/http.c
> > +++ b/http.c
> > @@ -61,6 +61,9 @@ static struct {
> >  	{ "tlsv1.0", CURL_SSLVERSION_TLSv1_0 },
> >  	{ "tlsv1.1", CURL_SSLVERSION_TLSv1_1 },
> >  	{ "tlsv1.2", CURL_SSLVERSION_TLSv1_2 },
> > +#if LIBCURL_VERSION_NUM >= 0x075200
> > +	{ "tlsv1.3", CURL_SSLVERSION_TLSv1_3 }
> > +#endif
> 
> I wonder if this wouldn't be better as:
> 
>     +#ifdef CURL_SSLVERSION_TLSv1_3
>     +	{ "tlsv1.3", CURL_SSLVERSION_TLSv1_3 }
>     +#endif
> 
> We've been bitten before by doing version checks on libcurl code, only
> to find that some distros are actively backporting features, so checking
> the specific macros is usually better.

This looks good to me as well. I will send Patch v2, with the suggestions.

> 
> >  #endif
> >  };
> >  #if LIBCURL_VERSION_NUM >= 0x070903

Re: [PATCH] Allow use of TLS 1.3

[Johannes Schindelin]

[-- Attachment #1: Type: text/plain, Size: 637 bytes --]

Hi,

On Fri, 23 Mar 2018, Loganaden Velvindron wrote:

> On Fri, Mar 23, 2018 at 07:37:08PM +0100, Ævar Arnfjörð Bjarmason wrote:
> > 
> > On Fri, Mar 23 2018, Loganaden Velvindron wrote:
> > 
> > > Done during IETF 101 hackathon
> > 
> > Hi. Thanks. Let's add a meaningful commit message to this though,
> > something like:
> > 
> >     Add a tlsv1.3 option to http.sslVersion in addition to the existing
> >     tlsv1.[012] options. libcurl has supported this since 7.52.0.

Can we please also add that OpenSSL 1.1.* is required (or that cURL is
built with NSS or BoringSSL as the TLS backend)?

Thanks,
Johannes