Open Gankra opened 11 months ago
I tried it on debian oldoldstable (which has a too old glibc to even run cargo-dist 0.3.0 :D) and it works just fine. curl added TLS 1.3 all the way back in 2018 before it was standardized. https://daniel.haxx.se/blog/2018/03/27/play-tls-1-3-with-curl/
This seems pointless to bother with. I created #978 to remove this entirely. TLS should be negotiated for the highest supported version first and downgraded when it's unsupported.
--tlsv1.2
indicates that TLSv1.2 or higher must be used. Changing this to --tlsv1.3
will force TLSv1.3 or higher to be used, which Github is known to support. If for some reason TLSv1.2 or lower is negotiated that either means that curl didn't support TLSv1.3 (if that is the case your curl version is likely old enough to be vulnerable to known security issues anyway, so erroring out in this case is completely reasonable IMO) or there is a MITM attacker trying to downgrade to a lower TLS version to exploit a cryptographic issue, in which case you definitively want to error out. Now TLSv1.3 should have protection against downgrade attacks when the client is TLSv1.3 capable and downgrading to anything lower than TLSv1.2 shouldn't be possible as Github rejects connections with TLSv1.1 and lower. As such --tlsv1.2
probably doesn't provide any benefit for connecting to Github or any other site which requires TLSv1.2 or higher. --tlsv1.3
may potentially provide marginal benefit against future attacks, though probably not a whole lot given the downgrade protection mechanism of TLSv1.3.
Disclaimer: Not a cryptographer or by any other means expert on this.
If TLS 1.3 support isn't compiled into your cURL binary, that would then fail. This should be up to the endpoint to determine which TLS version to use/support. cURL provides for a way to downgrade if necessary.
We inherited the flags to force a minimum of tls 1.2 and https from rustup, where they were introduced to prevent redirects from ever downgrading the security: https://github.com/rust-lang/rustup/pull/1716
So in both of these cases, being able to negotiate downgrades was viewed as an anti-feature.
We currently emit curl-sh exprs of the form:
This was inherited from https://rustup.rs/ although we added the extra
-L
(iirc required to chase redirects from github).It has been suggested we should update this to tlsv1.3 -- I'm not really a tls/interop expert, so feedback welcome.