search

rust-lang / rustup

The Rust toolchain installer
https://rust-lang.github.io/rustup/
Apache License 2.0
6.19k stars 892 forks source link

rustup TLS warning with newer curl versions (v8.10.0+) #4045

Closed SergioSierraJr closed 1 month ago

SergioSierraJr commented 1 month ago

Verification

Problem

Basically from what I was told by a user on the discord server, rustups check depends on the help text which has apparently changed so it doesnt see the TLS flag as a possibility. This is an issue with curl because of how it changed.

Steps

  1. run curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
  2. thats it you just get the following error messages when you run the script 
    Warning: Not enforcing strong cipher suites for TLS, this is potentially less secure
Warning: Not enforcing TLS v1.2, this is potentially less secure

Possible Solution(s)

Though not a solution, running this before running the script appears to fix the issue 

export RUSTUP_TLS_CIPHERSUITES="TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECD
SA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-A
ES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384"

Notes

Apparently, the commit that caused this issue was https://github.com/curl/curl/commit/9a0cf56471c1a90706e9710ce46d23315e716c10#diff-c7bff4c78be0ebe9d665d8a58b8794215b1b679d6e6719616e1738f1d6ca6570L53

Rustup version

Affects curl versions 8.10.0 and above

Installed toolchains

Nonapplicable, first time installing.

OS version

Alpine 8.20

rami3l commented 1 month ago

@SergioSierraJr Thanks for filing this issue! Yes, we're using --help output since it's the easiest way so far to check whether a flag is supported:

https://github.com/rust-lang/rustup/blob/a497b15550c39a302e439d821c160116a7505a28/rustup-init.sh#L641-L645

If I understand you correctly, did you mean this filter is too narrow?

https://github.com/rust-lang/rustup/blob/a497b15550c39a302e439d821c160116a7505a28/rustup-init.sh#L709

... if so then indeed, I think '"--help all"' would suffice.

rami3l commented 1 month ago

@rustbot claim