New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

curl(1) unclear regarding minimum TLS version #2691

Closed
andreaso opened this Issue Jun 28, 2018 · 2 comments

Comments

Projects
None yet
2 participants
@andreaso

andreaso commented Jun 28, 2018

The curl(1) man page has the following to say about the --tls-max option.

(SSL) VERSION defines maximum supported TLS version. A minimum is defined by arguments tlsv1.0 or tlsv1.1 or tlsv1.2.

The way I read that section it implies that (for example) the option --tlsv1.1 will try to use TLS version 1.1 or higher.

On the other hand, the curl(1) man page has the following to say about the --tlsv1.1 specifically.

(TLS) Forces curl to use TLS version 1.1 when connecting to a remote TLS server.

The way I read that section the option --tlsv1.1 will try to use TLS version 1.1, only. That is also the behavior I get when trying out the --tlsv1.1.

At least to me the "A minimum is defined by arguments tlsv1.0 or tlsv1.1 or tlsv1.2." phrase is misleading, and should perhaps be removed?

I did this

$ curl -o /dev/null --silent --show-error --tlsv1.1 https://github.com
curl: (35) error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version

...which suggests that --tlsv1.1 only tried to establish a TLS version 1.1 connection.

curl/libcurl version

curl 7.61.0-DEV (x86_64-pc-linux-gnu) libcurl/7.61.0-DEV OpenSSL/1.1.0g zlib/1.2.11 libidn2/2.0.4 libpsl/0.19.1 (+libidn2/2.0.4) nghttp2/1.30.0 librtmp/2.3
Release-Date: [unreleased]
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL

operating system

Ubuntu 18.04

@bagder

This comment has been minimized.

Show comment
Hide comment
@bagder

bagder Jun 28, 2018

Member

It (the OpenSSL backend) is in fact trying only 1.1 when that option is given, and only 1.2 when that option is given... So in that regard the code works like the documentation implies.

The question is then probably if it really should work like that...

Member

bagder commented Jun 28, 2018

It (the OpenSSL backend) is in fact trying only 1.1 when that option is given, and only 1.2 when that option is given... So in that regard the code works like the documentation implies.

The question is then probably if it really should work like that...

@andreaso

This comment has been minimized.

Show comment
Hide comment
@andreaso

andreaso Jun 28, 2018

Yeah, but what I (mostly) mean is that the documentation, at least the way I read it, contradicts itself. That is, that the --tls-max text says one thing about minimum, and the --tlsv* another thing.

andreaso commented Jun 28, 2018

Yeah, but what I (mostly) mean is that the documentation, at least the way I read it, contradicts itself. That is, that the --tls-max text says one thing about minimum, and the --tlsv* another thing.

bagder added a commit that referenced this issue Jun 28, 2018

openssl: make the requested TLS version the *minimum* wanted
The code treated the set version as the *exact* version to require in
the TLS handshake, which is not what other TLS backends do and probably
not what most people expect either.

Reported-by: Andreas Olsson
Fixes #2691

@bagder bagder closed this in 6015cef Jun 29, 2018

@lock lock bot locked as resolved and limited conversation to collaborators Sep 27, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.