-
-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS 1.3 support for GnuTLS #2971
Conversation
You will have to add all the new combinations because if TLS 1.3 is the max then we have that many more, so for example |
Thanks. You're right @jay. Updating the patch right away. However, this will include more ifdef to check for the correct version of gnutls. |
It can't be done that way, what I'm saying is for example
those things now are different when max default is 1.3. my suggestion is break out those max defaults separately at the beginning of the file
and in that function handle max defaults separately
|
@jay Latest commit follows your suggestion. |
It looks better but is still wrong. The CURL_SSLVERSION_MAX_TLSvxxx is different from CURL_SSLVERSION_MAX_DEFAULT. The former shouldn't change (eg CURL_SSLVERSION_MAX_TLSv1_2 is always TLS 1.2) but the latter should if TLS 1.3 is enabled. That is why I suggest handle the MAX_DEFAULT cases separately after the MAX_TLS, it should be easiest to read, for example case CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_TLSv1_2: |
@jay Now I get what you mean. PR updated. |
Thanks! |
Thank you for that. Note that this does not enable post-handshake authentication, and thus re-authentication will fail under HTTPS (I'm not sure if PHA is relevant for other protocols). That's a tricky use-case used by apache mostly. Tried something quick and dirty (listed below) and made my mind in simplifying that re-authentication support in gnutls (https://gitlab.com/gnutls/gnutls/issues/571 )
|
It is really a quick hack (seeing the complexity in |
Test against tls 1.3 servers (without any arguments):
./src/curl -v https://tls13.crypto.mozilla.org/
Test against TLS 1.3 server with explicit TLS 1.3:
./src/curl -v --tlsv1.3 https://tls13.crypto.mozilla.org/
Test with TLS 1.2 server without any argument (to check for regressions):
./src/curl -v https://www.google.mu/