-
-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add SChannel TLS 1.3 support #8419
Conversation
@jay @MarcelRaad please give this PR a glance! |
break; | ||
} | ||
else { /* Windows 10 and older */ | ||
failf(data, "schannel: TLS 1.3 not supported on Windows prior to 11"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, could this be moved to where an actual error occurs? I like the clear error message, but if someone actually wants to use TLS 1.3 on Windows 10 or whatever other OS, why prevent them from doing so?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, SChannel is inherently tied to the version of Windows. And Windows 11 / Windows 2022 is when TLS 1.3 was introduced as a finished feature (yes, there were buggy registry-enabled versions in the later Windows 10 builds).
So, if a user explicitly requests TLS 1.3 on a version of Windows that doesn't support it then they will get an error ASAP.
However, the max TLS version will be set correctly at runtime (if not set by the user). See: https://github.com/curl/curl/pull/8419/files#diff-518f418eae7110255d54ce052e3f17412cfc2289fd2c31cded6fec437ee58333R201
If you're talking about Windows emulators, then that's a whole other bag of worms. But if they're emulating correctly (accurately) then they should have the exact same behavior as Windows.
Looks good to me now except for the build break with Visual Studio 2008 (see AppVeyor), and I'd feel more comfortable if we had our MinGW CI on Azure Pipelines back up before merging. |
We need to investigate why it's necessary to set pDisabledCrypto, that does not make sense to me. It seems as though the MS TLS 1.3 support is half baked if it requires explicitly disabling certain TLS 1.3 algorithms. |
"This branch cannot be rebased due to conflicts" Please rebase (and feel free to squash into fewer commits) and force-push to this branch. |
@bagder Merged with upstream "master". Should be good to go. |
We rebase and do a clean and "straight" commit history when we merge. So it needs to rebase without conflict. |
Ok. I gotta be honest, at our company we merge PRs with full history, so I have little experience with the git magic in re-writing the history. And the git docs are as clear as mud on this point. So, if I have time at the end of today I'll work on it. Otherwise I'll work on it sometime next week. |
I still think one of us familiar with Windows should investigate this before landing. Basically we need to know how Windows 10 and 11 TLS 1.3 behaves without explicitly disabling any ciphers. |
Microsoft distribute curl.exe with SChannel with Windows 10, pehaps they can help curl team ! |
@bagder @jay Should I do the work of squashing the commits so it can be merged? Or should I wait for more reviews by other users? I'm getting mixed signals. Does this work by adding TLS 1.3 to curl with SChannel? Yes. (We're using it in production right now). Does this use all the publicly available documentation and implement it based on that? Also, yes. Is the SChannel API a black-box with shitty public documentation? Also, yes. |
Please squash. If you run into squash errors that look time consuming then try working from a temporary branch based off of upstream/master. git fetch upstream I'm assuming in this example that remotes upstream => curl/curl and origin => wyattoday/curl |
@wyattoday @jay any update on this :)? |
This will be wonderfull if this feature can be included in next version @wyattoday |
Sorry, been super busy. I’ll get to this end of next week. |
I own schannel. There is no need to disable algorithms. Unsupported cipher suites, etc., obviously, won't get negotiated. |
You work at MS?
Do you happen to have a link (or a reference to any public documentation) that says as much? The docs I’ve read are all public (obviously — I don’t work at MS) and suggest the opposite. But I would happy to be proven wrong (because it makes more sense for the way I’ve implemented it right now to be the wrong way). It’s not that I don’t believe you, it’s just that it would better to have canonical sources that can be referred to rather than (a) guesses (b) referencing other source code examples {what I did here} or (c) lore passed down in mailing lists and issues trackers. |
I fixed 2 bugs in the code since I said it was ready to merge.
Again, looks good to my eyes. It's being used in production here. It's ready for additional review and/or merging. |
The Visual Studio 2008 and classic MinGW compilation failures are a problem. There were fixes for them in #8927. |
1dfa735
to
ec17f79
Compare
@MarcelRaad Fixed the VS2008 / MingW issues. Passed all the compilation and relevant tests (there seems to be bugs in CI configuration on some tests unrelated to any changes in this PR). Just squashed it into a single commit to be ready for merge with "main". Any other comments or review are welcomed. Ready for merge otherwise. |
…TLS13_CIPHERS` option).
Just updated the docs as well. So, if no further comments, this is ready to merge as-is without requiring any additional work. The only thing to be aware of is that in If that's not that case then that will have to be changed. |
@wyattoday @bagder Any comments for this merge request? Pretty excited to have this feature in git bash. |
For me, this PR is correct |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm still not sure about the Windows version check if the user has explicitly requested TLS 1.3. I don't have a strong opinion about that though. Other than that, it looks good to me now!
LGTM. CI failures are unrelated and being addressed in other PRs. Thanks! |
@Andrei-Popov can you ask people who package the c:\Windows\System32\curl.exe build packaged with Windows 11/2022 update it to curl 7.85 when it'll be released? regards |
Add SChannel TLS 1.3 support to curl / libcurl. This is a rework of the previous SChannel TLS 1.3 PR, built on curl-main, and finishing the remaining TODO.
This adds TLS 1.3 support for versions of Windows that support it at runtime. No-need for compile-time shenanigans.
Also, added a new define to disable optional code:
DISABLE_SCHANNEL_CLIENT_CERT
(reduces compiled code size if that feature is not needed in the vein of tinycurl).SChannel currently only supports the following ciphers:
The following are not currently supported (but also not negotiated):
And
TLS_CHACHA20_POLY1305_SHA256
is supported, but disabled by default in Windows (it can be enabled).In addition to all the code required to add this, I've also modified the "SSL Ciphers" and "CURLOPT_TLS13_CIPHERS explained" docs to add the new options and document when the functionality was introduced.