-
-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added flags CURL_SSLVERSION_OR_UP_TO_* to CURLOPT_SSLVERSION #1166
Conversation
OR_UP_TO doesn't seem too intuitive, why not something like --tlsmin 1.0 --tlsmax 1.2 |
Yeah, max sounds better to my ears as well rather than "or_up_to". I think that if |
Right. --tlsv* is treated as minimum. For tool I will rewrite args "up-to-tlsv1.2,..." as --tlsmax 1.2. Do you want to refactor name of flags too? Like CURL_SSLVERSION_OR_UP_TO_TLSv1.2 =>CURL_SSLVERSION_MAX_TLSv1.2 |
Yes, |
docs/cmdline-opts/tls-max.d
Outdated
Use up to TLSv1.2 . The supported minimum is tlsv1.0 or tlsv1.1. | ||
.IP "1.3" | ||
Use up to TLSv1.3 . The supported minimum is tlsv1.0 or tlsv1.1 or tlsv1.2. | ||
.RE |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do I understand it correctly that minimum and maximum cannot be set to the same value? Why?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes it is supported. But it is wired to tls-max with tlsvX.Y when you want to just tlsvX.Y. If you wish I can add this option to documentation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would drop all the "The supported minimum is ..." sentences from the particular options. The statement above says it clearly enough in a generic way. The fact that the minimum enabled TLS version cannot be higher than the maximum enabled TLS version is obvious. Also the space before comma appears disruptive to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree - removed sentences.
lib/vtls/darwinssl.c
Outdated
switch(ssl_version) { | ||
case CURL_SSLVERSION_TLSv1_0: | ||
return set_ssl_version_up_to(conn, sockindex, ssl_version, | ||
CURL_SSLVERSION_OR_UP_TO_TLSv1_0); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do you recursively call the function? Would not it be enough to (re)assign ssl_version_up_to
and continue the execution?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree. I will rewrite it as you suggest.
Hi Kamil. |
On Monday, January 16, 2017 05:54:11 Jozef Kralik wrote:
Is it ok, now?
Not yet. Please rebase your branch on top of current upstream master branch.
I have also a few review comments that I will attach to the code directly...
|
docs/curl.1
Outdated
Use up to TLSv1.3 . The supported minimum is tlsv1.0 or tlsv1.1 or tlsv1.2. | ||
.RE | ||
|
||
See also \fI--tlsv1.0\fP and \fI--tlsv1.1\fP and \fI--tlsv1.2\fP. \fI--tls-max\fP requires that the underlying libcurl was built to support TLS. Added in 7.53.0. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please break the line such that it does not exceed 79 columns, according to:
https://github.com/curl/curl/blob/master/docs/CODE_STYLE.md
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
docs/curl.1 is generated document by command: docs/cmdline-opts/gen.pl mainpage
@@ -50,6 +50,18 @@ TLSv1.1 (Added in 7.34.0) | |||
TLSv1.2 (Added in 7.34.0) | |||
.IP CURL_SSLVERSION_TLSv1_3 | |||
TLSv1.3 (Added in 7.52.0) | |||
.IP CURL_SSLVERSION_MAX_DEFAULT | |||
Use as flag with CURL_SSLVERSION_TLSv1_x and behavior is same as | |||
CURL_SSLVERSION_MAX_TLSv1_2. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is CURL_SSLVERSION_MAX_DEFAULT
same as CURL_SSLVERSION_MAX_TLSv1_2
? How would one ask libcurl to set the maximum TLS version to the TLS library default?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I look to libraries and they are three kinds:
- supports to get/set default maximum: nss
- maximum is not determined: openssl, gnutls, mbedtls
- doesn't support: darwinSSL, polarssl, gskit
For 1. default is determined by library.
For 2. what is default? eg: library supports TLSv3, but TLSv2 in this time is recommended.
For 3. default must be determined by us.
My suggestion:
For 1. Function <Curl_ssl_evaluate_version_max> (renamed retrieve_ssl_version_max) calls function <Curl_ssl_get_default_max_version> that returns CURL_SSLVERSION_MAX_TLSvX for certain ssl library.
For 2. I suggest use behavior as in point 3.
For 3. <Curl_ssl_get_default_max_version> returns CURL_SSLVERSION_MAX_TLSv1_2.
What do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Even if NSS was the only library that currently allows one to set sslver.max
to TLS library default, it is still worth to have this feature exposed via libcurl API. We can hard-code it to TLSv1.2 for other libraries now and eventually implement propagation of the flag once other libraries introduce a similar API.
However, it needs to be hard-coded in libcurl implementation, not in its API/ABI. If both CURL_SSLVERSION_MAX_DEFAULT
and CURL_SSLVERSION_MAX_TLSv1_2
were mapped to the same constant in libcurl API/ABI, it would be nearly impossible to change the default later on.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now, CURL_SSLVERSION_MAX_DEFAULT is as separeted value and every library CURL_SSLVERSION_MAX_DEFAULT must serve self (NSS via SSL_VersionRangeGetDefault and others as CURL_SSLVERSION_MAX_TLSv1.2).
include/curl/curl.h
Outdated
#define GET_CURL_SSLVERSION(x) (x & 0xffff) | ||
#define GET_CURL_SSLVERSION_MAX(x) (x & 0xffff0000) | ||
#define SET_CURL_SSLVERSION_MAX(x, val) \ | ||
CURL_SSLVERSION_MAX_##x = (val << 16) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are changing a public header file. All the defines you introduce need to start with the CURL
prefix.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
include/curl/curl.h
Outdated
SET_CURL_SSLVERSION_MAX(TLSv1_3, 4), | ||
|
||
SET_CURL_SSLVERSION_MAX(LAST, 5), /* never use, keep last */ | ||
SET_CURL_SSLVERSION_MAX(DEFAULT, 3) /* = ..._OR_UP_TO_TLSv1_2 */ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks wrong to me. If we changed the default in libcurl later on, all dependent software would need to be recompiled for the change to take effect. You need to assign a separate value for CURL_SSLVERSION_MAX_DEFAULT
so that a rebuilt of (dynamically linked) libcurl is sufficient to change the default.
lib/vtls/ssl_hlp.c
Outdated
} | ||
} | ||
return ssl_version_max_default; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why are you introducing a new module for the helper function? It could be added to the vtls module, which all the crypto backends use already. To be honest, I am not convinced that such a helper function simplifies the code anyhow. At least in the nss backend it does not seem to be the case.
lib/vtls/nss.c
Outdated
} | ||
return CURLE_OK; | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This drastically increases the code complexity, which is unnecessary IMO. I will propose a better approach once the API issues (namely CURL_SSLVERSION_MAX_DEFAULT
) are resolved.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CURL_SSLVERSION_MAX_DEFAULT is now as separated value and for NSS it uses maximum version from SSL_VersionRangeGetDefault. For other libraries it is CURL_SSLVERSION_MAX_TLSv1.2.
By this patch user/developer can setup range of TLS versions, that he want to support by curl/libcurl.
CURL_SSLVERSION_OR_UP_TO_NONE, CURL_SSLVERSION_OR_UP_TO_FIRST, CURL_SSLVERSION_OR_UP_TO_TLSv1_0
By this patch user/developer can setup range of TLS versions, that he want to support by curl/libcurl.
For NSS it set enabled maximum version of this library For others it set CURL_SSLVERSION_MAX_TLSv1.2
Hello folks. I drop Curl_ssl_retrieve_version_max and simplify the code similarly as Kamil for others backends. |
value from SSL library. Only library NSS currently allows to get | ||
maximum supported TLS version. | ||
(Added in 7.53.0) | ||
.IP CURL_SSLVERSION_MAX_TLSv1_1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Documentation for CURL_SSLVERSION_MAX_TLSv1_0
is missing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
value from SSL library. Only library NSS currently allows to get | ||
maximum supported TLS version. | ||
(Added in 7.53.0) | ||
.IP CURL_SSLVERSION_MAX_TLSv1_1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here. Documentation for CURL_SSLVERSION_MAX_TLSv1_0
is missing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
src/tool_paramhlp.c
Outdated
size_t i = 0; | ||
if(!str) | ||
return PARAM_REQUIRES_PARAMETER; | ||
for(i = 0; i < sizeof(tls_max_array)/sizeof(tls_max_array[i]); i++) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sizeof(tls_max_array)/sizeof(tls_max_array[0])
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good point :)
lib/vtls/darwinssl.c
Outdated
if(ssl_version_max == CURL_SSLVERSION_MAX_NONE) { | ||
ssl_version_max = ssl_version; | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should not we handle CURL_SSLVERSION_MAX_DEFAULT
at this point?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
This is interesting work, btw why not make the tls version a bit-mask instead of min-max, so it would be possible to do things like '--tlsv1.0 --tlsv1.2' for example. |
lib/vtls/gtls.c
Outdated
@@ -375,6 +375,98 @@ static gnutls_x509_crt_fmt_t do_file_type(const char *type) | |||
return -1; | |||
} | |||
|
|||
#ifndef USE_GNUTLS_PRIORITY_SET_DIRECT | |||
static CURLcode | |||
set_ssl_version_min_max(int *protocol_priority, struct connectdata *conn) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This can lead to stack overflow if new TLS versions were added later on but size of the array not updated. Please make set_ssl_version_min_max()
take size of the array as an argument and let it check the boundaries before writing to that array.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
lib/vtls/gtls.c
Outdated
case CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_DEFAULT: | ||
*prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:" | ||
"+VERS-TLS1.2:" GNUTLS_SRP; | ||
break; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess we should fail by default instead of pretending success.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
By default returns func CURLE_SSL_CONNECT_ERROR
lib/vtls/mbedtls.c
Outdated
CURLcode result = CURLE_OK; | ||
long ssl_version = SSL_CONN_CONFIG(version); | ||
long ssl_version_max = SSL_CONN_CONFIG(version_max) >> 16; | ||
if(ssl_version_max == CURL_SSLVERSION_MAX_NONE) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The check is not going to work as expected because ssl_version_max
is already shifted. You might also want to handle CURL_SSLVERSION_MAX_DEFAULT
at this point.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
On Friday, February 03, 2017 07:52:53 Isaac Boukris wrote:
This is interesting work, btw why not make the tls version a bit-mask
instead of min-max, so it would be possible to do things like '--tlsv1.0
--tlsv1.2' for example. Is that the control that the tls api / protocol
allows?
I will let TLS experts to answer your question regarding the protocol itself.
I know that NSS uses the min/max range and so does Firefox, for example. It
might be difficult to find a real world use case for a more complex API than
the version range IMO.
Kamil
|
fix of usin CURL_SSLVERSION_MAX_DEFAULT
On Fri, Feb 3, 2017 at 6:12 PM, Kamil Dudka <notifications@github.com>
wrote:
On Friday, February 03, 2017 07:52:53 Isaac Boukris wrote:
> This is interesting work, btw why not make the tls version a bit-mask
> instead of min-max, so it would be possible to do things like '--tlsv1.0
> --tlsv1.2' for example. Is that the control that the tls api / protocol
> allows?
I will let TLS experts to answer your question regarding the protocol
itself.
I know that NSS uses the min/max range and so does Firefox, for example.
It
might be difficult to find a real world use case for a more complex API
than
the version range IMO.
Makes sense, thanks.
|
Looks good to me. Thanks for all the fixes! As it is two weeks after devel freeze now, I propose to wait till |
I have squashed the commits and rebased against latest upstream. The result is available in the Are we ready to merge this upstream? |
Hi Kamil. Do we want to set version "7.53.0" in documentation (and not "7.54.0") ? |
Good point. |
I create a patch (attached) to fix it for https://github.com/kdudka/curl/tree/tls-max. and I agree with merge. 0001-fixup-docs-set-right-version-for-specify-range-of-en.txt |
This commit introduces the CURL_SSLVERSION_MAX_* constants as well as the --tls-max option of the curl tool. Closes curl#1166
Thanks for the update! I have squashed all the fixup commits: @bagder are you fine with merging it upstream as it is? |
This commit introduces the CURL_SSLVERSION_MAX_* constants as well as the --tls-max option of the curl tool. Closes curl#1166
Rebased on top of upstream. |
LGTM, ready to merge. When merged, this will make the next release truly become "7.54.0" |
I have appended one more fixup to sync packages/OS400/curl.inc.in: kdudka@e8ef23d9 |
By this patch user/developer can setup range of TLS versions, that
he want to support by curl/libcurl.
curl: curl --tlsv1.1 --up-to-tls-default https://www.google.com
libcurl: curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1.1 | CURL_SSLVERSION_OR_UP_TO_DEFAULT);