Ensure TLS 1.3 works with GnuTLS#5223
Closed
dbussink wants to merge 1 commit intocurl:masterfrom
dbussink:fix-gnutls-tls13
Closed
Ensure TLS 1.3 works with GnuTLS#5223dbussink wants to merge 1 commit intocurl:masterfrom dbussink:fix-gnutls-tls13
dbussink wants to merge 1 commit intocurl:masterfrom
dbussink:fix-gnutls-tls13
Conversation
When SRP is requested in the priority string, GnuTLS will disable support for TLS 1.3. Before this change, curl would always add +SRP to the priority list, effectively always disabling TLS 1.3 support. With this change, +SRP is only added to the priority list when SRP authentication is also requested. This also allows updating the error handling here to not have to retry without SRP. This is because SRP is only added when requested and in that case a retry is not needed.
dbussink
commented
Apr 12, 2020
Contributor
Author
dbussink
left a comment
dbussink
left a comment
There was a problem hiding this comment.
I originally discovered this problem while trying to debug why git on the upcoming Ubuntu 20.04 release was only connecting over TLS 1.2 to GitHub.com, even though GitHub.com supports TLS 1.3.
Ubuntu compiles with OpenSSL normally for the command line curl where TLS 1.3 worked fine, but it didn't for the GnuTLS library version that is also provided and used by git.
| free(prioritysrp); | ||
|
|
||
| if((rc == GNUTLS_E_INVALID_REQUEST) && err) { | ||
| infof(data, "This GnuTLS does not support SRP\n"); |
Contributor
Author
There was a problem hiding this comment.
I've kept this message here so it's shown in the same circumstances, but now only when SRP is explicitly requested.
Contributor
Author
|
Running this locally against a TLS 1.3 only site:
|
Contributor
Author
|
Missed adding a link to the GnuTLS documentation where it's stated that requesting SRP will disable TLS 1.3: https://www.gnutls.org/manual/gnutls.html#Authentication-using-SRP |
bagder
approved these changes
Apr 12, 2020
Member
|
Thanks! |
avtikhon
added a commit
to tarantool/curl
that referenced
this pull request
Sep 1, 2020
Building using cmake got issue in testing: [043] box-tap/curlgh-5223-curl-exports.test.lua [ fail ] [043] Test failed! Output from reject file box-tap/curlgh-5223-curl-exports.reject: [043] [043] Last 15 lines of Tarantool Log file [Instance "app_server"][/build/usr/src/debug/tarantool-2.6.0.54/test/var/043_box-tap/curlgh-5223-curl-exports.test.lua.tarantool.log]: [043] LuajitError: ...tool-2.6.0.54/test/box-tap/curlgh-5223-curl-exports.test.lua:57: tarantool: undefined symbol: curl_version_info It happened because curl used visibility hiding mode for its symbols and the test could not use it. To fix it symbols hiding disabled for gcc and clang. Closes tarantool/tarantool#5268
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When SRP is requested in the priority string, GnuTLS will disable support for TLS 1.3. Before this change, curl would always add +SRP to the priority list, effectively always disabling TLS 1.3 support.
With this change, +SRP is only added to the priority list when SRP authentication is also requested. This also allows updating the error handling here to not have to retry without SRP. This is because SRP is only added when requested and in that case a retry is not needed.