search

axodotdev / cargo-dist

📦 shippable application packaging
https://axodotdev.github.io/cargo-dist/
Apache License 2.0
1.47k stars 64 forks source link

bump curl-sh exprs to tls 1.3? #457

Open Gankra opened 11 months ago

Gankra commented 11 months ago

We currently emit curl-sh exprs of the form:

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/axodotdev/cargo-dist/releases/download/v0.3.0/cargo-dist-installer.sh | sh

This was inherited from https://rustup.rs/ although we added the extra -L (iirc required to chase redirects from github).

It has been suggested we should update this to tlsv1.3 -- I'm not really a tls/interop expert, so feedback welcome.

Noratrieb commented 11 months ago

I tried it on debian oldoldstable (which has a too old glibc to even run cargo-dist 0.3.0 :D) and it works just fine. curl added TLS 1.3 all the way back in 2018 before it was standardized. https://daniel.haxx.se/blog/2018/03/27/play-tls-1-3-with-curl/

bengaywins commented 4 months ago

This seems pointless to bother with. I created #978 to remove this entirely. TLS should be negotiated for the highest supported version first and downgraded when it's unsupported.

bjorn3 commented 4 months ago

--tlsv1.2 indicates that TLSv1.2 or higher must be used. Changing this to --tlsv1.3 will force TLSv1.3 or higher to be used, which Github is known to support. If for some reason TLSv1.2 or lower is negotiated that either means that curl didn't support TLSv1.3 (if that is the case your curl version is likely old enough to be vulnerable to known security issues anyway, so erroring out in this case is completely reasonable IMO) or there is a MITM attacker trying to downgrade to a lower TLS version to exploit a cryptographic issue, in which case you definitively want to error out. Now TLSv1.3 should have protection against downgrade attacks when the client is TLSv1.3 capable and downgrading to anything lower than TLSv1.2 shouldn't be possible as Github rejects connections with TLSv1.1 and lower. As such --tlsv1.2 probably doesn't provide any benefit for connecting to Github or any other site which requires TLSv1.2 or higher. --tlsv1.3 may potentially provide marginal benefit against future attacks, though probably not a whole lot given the downgrade protection mechanism of TLSv1.3.

Disclaimer: Not a cryptographer or by any other means expert on this.

bengaywins commented 4 months ago

If TLS 1.3 support isn't compiled into your cURL binary, that would then fail. This should be up to the endpoint to determine which TLS version to use/support. cURL provides for a way to downgrade if necessary.

Gankra commented 4 months ago

We inherited the flags to force a minimum of tls 1.2 and https from rustup, where they were introduced to prevent redirects from ever downgrading the security: https://github.com/rust-lang/rustup/pull/1716

So in both of these cases, being able to negotiate downgrades was viewed as an anti-feature.