New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TLS version "or later" doesn't work for schannel and Secure Transport as it works with OpenSSL #2969

Closed
programuotojasgf opened this Issue Sep 10, 2018 · 12 comments

Comments

Projects
None yet
5 participants
@programuotojasgf

programuotojasgf commented Sep 10, 2018

I did this

I'm using this option https://curl.haxx.se/libcurl/c/CURLOPT_SSLVERSION.html
For me it works as specific version setters - does not go upwards, even if the server supports it. For example:
CURL_SSLVERSION_TLSv1 -> this default options works with 1.0 1.1 1.2 1.3 (probably future proof for 1.4 and so on)
CURL_SSLVERSION_TLSv1_0 -> this option only works with 1.0 . It fails with a server that only supports 1.1, 1.2 or 1.3

currently CURL_SSLVERSION_TLSv1 supports TLS 1.0 , 1.1 , 1.2 , 1.3
currently CURL_SSLVERSION_TLSv1_0 supports TLS 1.0
currently CURL_SSLVERSION_TLSv1_1 supports TLS 1.1
currently CURL_SSLVERSION_TLSv1_2 supports TLS 1.2
currently CURL_SSLVERSION_TLSv1_3 supports TLS 1.3

I expected the following

I expect CURL_SSLVERSION_TLSv1 to support TLS 1.0 , 1.1 , 1.2 , 1.3
I expect CURL_SSLVERSION_TLSv1_0 to support TLS 1.0 , 1.1 , 1.2 , 1.3
I expect CURL_SSLVERSION_TLSv1_1 to support TLS 1.1 , 1.2 , 1.3
I expect CURL_SSLVERSION_TLSv1_2 to support TLS 1.2 , 1.3
I expect CURL_SSLVERSION_TLSv1_3 to support TLS 1.3

curl/libcurl version

WinSSL -> libcurl/7.61.1-DEV WinSSL
and also
DarwinSSL(iOS) -> libcurl/7.61.1-DEV SecureTransport zlib/1.2.8

NOTE: Works as expected with openSSL, only works badly with WinSSL and darwinSSL(iOS)

operating system

Windows 10 Professional x64

@bagder bagder added the SSL/TLS label Sep 10, 2018

@bagder

This comment has been minimized.

Member

bagder commented Sep 10, 2018

Duplicate of #2691

This was fixed in #2694, released in curl 7.61.0

@bagder bagder closed this Sep 10, 2018

@programuotojasgf

This comment has been minimized.

programuotojasgf commented Sep 11, 2018

This is not fixed. I've updated the issue, to denote, that it works with openSSL, but does not work with WinSSL

@bagder bagder reopened this Sep 11, 2018

@bagder bagder changed the title from TLS version option to TLS version "or later" doesn't work for schannel as it works with OpenSSL Sep 11, 2018

@programuotojasgf programuotojasgf changed the title from TLS version "or later" doesn't work for schannel as it works with OpenSSL to TLS version "or later" doesn't work for schannel and Secure Transport as it works with OpenSSL Sep 13, 2018

@lietusme

This comment has been minimized.

lietusme commented Sep 17, 2018

Any timeframe when this could be expected to be fixed and released?

@bagder

This comment has been minimized.

Member

bagder commented Sep 17, 2018

No.

@jay

This comment has been minimized.

Member

jay commented Sep 17, 2018

I can't reproduce this. What server are you having this problem with and what commit are you using? For example curl --tlsv1.0 -v https://github.com and I get a handshake version of 1.2 and a successful connection. Note for schannel we haven't enabled TLS 1.3 yet.

@danielgustafsson

This comment has been minimized.

Member

danielgustafsson commented Sep 17, 2018

@jay is that with SChannel? With Secure Transport on git head I get failures to connect on --tlsv1.0 and --tlsv1.1, --tlsv1.2 and --tlsv1.3 both give me a 1.2 handshake and successful connection?

@jay

This comment has been minimized.

Member

jay commented Sep 17, 2018

@jay is that with SChannel?

oops yes. Not sure what's going on with Secure Transport, the code looks correct but I don't run mac. Check in wireshark and see what it's sending for handshake version in the fail case.

/cc @nickzman

@danielgustafsson

This comment has been minimized.

Member

danielgustafsson commented Sep 17, 2018

I will do some digging tomorrow to see whats going on.

danielgustafsson added a commit to danielgustafsson/curl that referenced this issue Sep 18, 2018

darwinssl: make requested TLS version the minimum
Make the requested TLS version the minimum and allow for any higher
protocol in the negotiation, rather than capping the protocol version
to the requested. This fixes Secure Transport (darwinssl) to behave
like OpenSSL as it was changed in curl#2694 (reported in curl#2969).
@danielgustafsson

This comment has been minimized.

Member

danielgustafsson commented Sep 18, 2018

I have a proposed bugfix for Secure Transport in #3010, please that patch @lietusme and @programuotojasgf.

@jay

This comment has been minimized.

Member

jay commented Sep 18, 2018

My results yesterday were erroneous I can reproduce this in schannel, curl --tlsv1.0 https://github.com shows a handshake of TLS 1.0. The only thing I can figure is at the time something else must have made a connection to github, and I clicked on that ClientHello in wireshark by mistake. It looks like all SSL backends except OpenSSL still use the old behavior of setting the requested SSL version as the minimum and the maximum. This is addressed in #3012 which incorporates @danielgustafsson's fix.

@jay jay closed this in 2e5651a Sep 20, 2018

@lietusme

This comment has been minimized.

lietusme commented Sep 21, 2018

Thanks! I assume this fix will be released on October 31, 2018 timeframe only? https://curl.haxx.se/dev/release-procedure.html

@bagder

This comment has been minimized.

Member

bagder commented Sep 21, 2018

@lietusme correct, but you can also verify/test/play with it using a daily snapshot.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment