Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TLS version "or later" doesn't work for schannel and Secure Transport as it works with OpenSSL #2969

Closed
programuotojasgf opened this issue Sep 10, 2018 · 12 comments
Labels

Comments

@programuotojasgf
Copy link

programuotojasgf commented Sep 10, 2018

I did this

I'm using this option https://curl.haxx.se/libcurl/c/CURLOPT_SSLVERSION.html
For me it works as specific version setters - does not go upwards, even if the server supports it. For example:
CURL_SSLVERSION_TLSv1 -> this default options works with 1.0 1.1 1.2 1.3 (probably future proof for 1.4 and so on)
CURL_SSLVERSION_TLSv1_0 -> this option only works with 1.0 . It fails with a server that only supports 1.1, 1.2 or 1.3

currently CURL_SSLVERSION_TLSv1 supports TLS 1.0 , 1.1 , 1.2 , 1.3
currently CURL_SSLVERSION_TLSv1_0 supports TLS 1.0
currently CURL_SSLVERSION_TLSv1_1 supports TLS 1.1
currently CURL_SSLVERSION_TLSv1_2 supports TLS 1.2
currently CURL_SSLVERSION_TLSv1_3 supports TLS 1.3

I expected the following

I expect CURL_SSLVERSION_TLSv1 to support TLS 1.0 , 1.1 , 1.2 , 1.3
I expect CURL_SSLVERSION_TLSv1_0 to support TLS 1.0 , 1.1 , 1.2 , 1.3
I expect CURL_SSLVERSION_TLSv1_1 to support TLS 1.1 , 1.2 , 1.3
I expect CURL_SSLVERSION_TLSv1_2 to support TLS 1.2 , 1.3
I expect CURL_SSLVERSION_TLSv1_3 to support TLS 1.3

curl/libcurl version

WinSSL -> libcurl/7.61.1-DEV WinSSL
and also
DarwinSSL(iOS) -> libcurl/7.61.1-DEV SecureTransport zlib/1.2.8

NOTE: Works as expected with openSSL, only works badly with WinSSL and darwinSSL(iOS)

operating system

Windows 10 Professional x64

@bagder bagder added the TLS label Sep 10, 2018
@bagder
Copy link
Member

bagder commented Sep 10, 2018

Duplicate of #2691

This was fixed in #2694, released in curl 7.61.0

@bagder bagder closed this as completed Sep 10, 2018
@programuotojasgf
Copy link
Author

This is not fixed. I've updated the issue, to denote, that it works with openSSL, but does not work with WinSSL

@bagder bagder reopened this Sep 11, 2018
@bagder bagder changed the title TLS version option TLS version "or later" doesn't work for schannel as it works with OpenSSL Sep 11, 2018
@programuotojasgf programuotojasgf changed the title TLS version "or later" doesn't work for schannel as it works with OpenSSL TLS version "or later" doesn't work for schannel and Secure Transport as it works with OpenSSL Sep 13, 2018
@lietusme
Copy link

Any timeframe when this could be expected to be fixed and released?

@bagder
Copy link
Member

bagder commented Sep 17, 2018

No.

@jay
Copy link
Member

jay commented Sep 17, 2018

I can't reproduce this. What server are you having this problem with and what commit are you using? For example curl --tlsv1.0 -v https://github.com and I get a handshake version of 1.2 and a successful connection. Note for schannel we haven't enabled TLS 1.3 yet.

@danielgustafsson
Copy link
Member

@jay is that with SChannel? With Secure Transport on git head I get failures to connect on --tlsv1.0 and --tlsv1.1, --tlsv1.2 and --tlsv1.3 both give me a 1.2 handshake and successful connection?

@jay
Copy link
Member

jay commented Sep 17, 2018

@jay is that with SChannel?

oops yes. Not sure what's going on with Secure Transport, the code looks correct but I don't run mac. Check in wireshark and see what it's sending for handshake version in the fail case.

/cc @nickzman

@danielgustafsson
Copy link
Member

I will do some digging tomorrow to see whats going on.

danielgustafsson added a commit to danielgustafsson/curl that referenced this issue Sep 18, 2018
Make the requested TLS version the minimum and allow for any higher
protocol in the negotiation, rather than capping the protocol version
to the requested. This fixes Secure Transport (darwinssl) to behave
like OpenSSL as it was changed in curl#2694 (reported in curl#2969).
@danielgustafsson
Copy link
Member

I have a proposed bugfix for Secure Transport in #3010, please that patch @lietusme and @programuotojasgf.

@jay
Copy link
Member

jay commented Sep 18, 2018

My results yesterday were erroneous I can reproduce this in schannel, curl --tlsv1.0 https://github.com shows a handshake of TLS 1.0. The only thing I can figure is at the time something else must have made a connection to github, and I clicked on that ClientHello in wireshark by mistake. It looks like all SSL backends except OpenSSL still use the old behavior of setting the requested SSL version as the minimum and the maximum. This is addressed in #3012 which incorporates @danielgustafsson's fix.

@jay jay closed this as completed in 2e5651a Sep 20, 2018
@lietusme
Copy link

Thanks! I assume this fix will be released on October 31, 2018 timeframe only? https://curl.haxx.se/dev/release-procedure.html

@bagder
Copy link
Member

bagder commented Sep 21, 2018

@lietusme correct, but you can also verify/test/play with it using a daily snapshot.

@lock lock bot locked as resolved and limited conversation to collaborators Dec 20, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Development

No branches or pull requests

5 participants