mirror of
https://github.com/moparisthebest/curl
synced 2024-12-23 16:48:49 -05:00
setopt: add TLS 1.3 ciphersuites
Adds CURLOPT_TLS13_CIPHERS and CURLOPT_PROXY_TLS13_CIPHERS. curl: added --tls13-ciphers and --proxy-tls13-ciphers Fixes #2435 Reported-by: zzq1015 on github Closes #2607
This commit is contained in:
parent
5005ade2ce
commit
050c93c46f
@ -142,6 +142,16 @@ libcurl was built to use. This is an attempt to list known cipher names.
|
|||||||
`ECDHE-RSA-CAMELLIA128-SHA256`
|
`ECDHE-RSA-CAMELLIA128-SHA256`
|
||||||
`ECDHE-RSA-CAMELLIA256-SHA384`
|
`ECDHE-RSA-CAMELLIA256-SHA384`
|
||||||
|
|
||||||
|
### TLS 1.3 cipher suites
|
||||||
|
|
||||||
|
(Note: the TLS 1.3 cipher suites are set with a separate option.)
|
||||||
|
|
||||||
|
`TLS13-AES-256-GCM-SHA384`
|
||||||
|
`TLS13-CHACHA20-POLY1305-SHA256`
|
||||||
|
`TLS13-AES-128-GCM-SHA256`
|
||||||
|
`TLS13-AES-128-CCM-8-SHA256`
|
||||||
|
`TLS13-AES-128-CCM-SHA256`
|
||||||
|
|
||||||
## NSS
|
## NSS
|
||||||
|
|
||||||
### Totally insecure
|
### Totally insecure
|
||||||
|
@ -47,6 +47,6 @@ DPAGES = abstract-unix-socket.d anyauth.d append.d basic.d cacert.d capath.d cer
|
|||||||
tlsv1.3.d tlsv1.d trace-ascii.d trace.d trace-time.d tr-encoding.d \
|
tlsv1.3.d tlsv1.d trace-ascii.d trace.d trace-time.d tr-encoding.d \
|
||||||
unix-socket.d upload-file.d url.d use-ascii.d user-agent.d user.d \
|
unix-socket.d upload-file.d url.d use-ascii.d user-agent.d user.d \
|
||||||
verbose.d version.d write-out.d xattr.d request-target.d \
|
verbose.d version.d write-out.d xattr.d request-target.d \
|
||||||
styled-output.d
|
styled-output.d tls13-ciphers.d proxy-tls13-ciphers.d
|
||||||
|
|
||||||
OTHERPAGES = page-footer page-header
|
OTHERPAGES = page-footer page-header
|
||||||
|
12
docs/cmdline-opts/proxy-tls13-ciphers.d
Normal file
12
docs/cmdline-opts/proxy-tls13-ciphers.d
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
Long: proxy-tls13-ciphers
|
||||||
|
Arg: <ciphersuite list>
|
||||||
|
help: TLS 1.3 proxy cipher suites
|
||||||
|
Protocols: TLS
|
||||||
|
---
|
||||||
|
Specifies which cipher suites to use in the connection to your HTTPS proxy
|
||||||
|
when it negotiates TLS 1.3. The list of ciphers suites must specify valid
|
||||||
|
ciphers. Read up on TLS 1.3 cipher suite details on this URL:
|
||||||
|
|
||||||
|
https://curl.haxx.se/docs/ssl-ciphers.html
|
||||||
|
|
||||||
|
If this option is used several times, the last one will be used.
|
12
docs/cmdline-opts/tls13-ciphers.d
Normal file
12
docs/cmdline-opts/tls13-ciphers.d
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
Long: tls13-ciphers
|
||||||
|
Arg: <list of TLS 1.3 ciphersuites>
|
||||||
|
help: TLS 1.3 cipher suites to use
|
||||||
|
Protocols: TLS
|
||||||
|
---
|
||||||
|
Specifies which cipher suites to use in the connection if it negotiates TLS
|
||||||
|
1.3. The list of ciphers suites must specify valid ciphers. Read up on TLS 1.3
|
||||||
|
cipher suite details on this URL:
|
||||||
|
|
||||||
|
https://curl.haxx.se/docs/ssl-ciphers.html
|
||||||
|
|
||||||
|
If this option is used several times, the last one will be used.
|
@ -548,6 +548,10 @@ Identify EGD socket for entropy. See \fICURLOPT_EGDSOCKET(3)\fP
|
|||||||
Ciphers to use. See \fICURLOPT_SSL_CIPHER_LIST(3)\fP
|
Ciphers to use. See \fICURLOPT_SSL_CIPHER_LIST(3)\fP
|
||||||
.IP CURLOPT_PROXY_SSL_CIPHER_LIST
|
.IP CURLOPT_PROXY_SSL_CIPHER_LIST
|
||||||
Proxy ciphers to use. See \fICURLOPT_PROXY_SSL_CIPHER_LIST(3)\fP
|
Proxy ciphers to use. See \fICURLOPT_PROXY_SSL_CIPHER_LIST(3)\fP
|
||||||
|
.IP CURLOPT_TLS13_CIPHERS
|
||||||
|
TLS 1.3 cipher suites to use. See \fICURLOPT_TLS13_CIPHERS(3)\fP
|
||||||
|
.IP CURLOPT_PROXY_TLS13_CIPHERS
|
||||||
|
Proxy TLS 1.3 cipher suites to use. See \fICURLOPT_PROXY_TLS13_CIPHERS(3)\fP
|
||||||
.IP CURLOPT_SSL_SESSIONID_CACHE
|
.IP CURLOPT_SSL_SESSIONID_CACHE
|
||||||
Disable SSL session-id cache. See \fICURLOPT_SSL_SESSIONID_CACHE(3)\fP
|
Disable SSL session-id cache. See \fICURLOPT_SSL_SESSIONID_CACHE(3)\fP
|
||||||
.IP CURLOPT_SSL_OPTIONS
|
.IP CURLOPT_SSL_OPTIONS
|
||||||
|
63
docs/libcurl/opts/CURLOPT_PROXY_TLS13_CIPHERS.3
Normal file
63
docs/libcurl/opts/CURLOPT_PROXY_TLS13_CIPHERS.3
Normal file
@ -0,0 +1,63 @@
|
|||||||
|
.\" **************************************************************************
|
||||||
|
.\" * _ _ ____ _
|
||||||
|
.\" * Project ___| | | | _ \| |
|
||||||
|
.\" * / __| | | | |_) | |
|
||||||
|
.\" * | (__| |_| | _ <| |___
|
||||||
|
.\" * \___|\___/|_| \_\_____|
|
||||||
|
.\" *
|
||||||
|
.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||||
|
.\" *
|
||||||
|
.\" * This software is licensed as described in the file COPYING, which
|
||||||
|
.\" * you should have received as part of this distribution. The terms
|
||||||
|
.\" * are also available at https://curl.haxx.se/docs/copyright.html.
|
||||||
|
.\" *
|
||||||
|
.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
|
||||||
|
.\" * copies of the Software, and permit persons to whom the Software is
|
||||||
|
.\" * furnished to do so, under the terms of the COPYING file.
|
||||||
|
.\" *
|
||||||
|
.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
|
||||||
|
.\" * KIND, either express or implied.
|
||||||
|
.\" *
|
||||||
|
.\" **************************************************************************
|
||||||
|
.\"
|
||||||
|
.TH CURLOPT_PROXY_TLS13_CIPHERS 3 "25 May 2018" "libcurl 7.61.0" "curl_easy_setopt options"
|
||||||
|
.SH NAME
|
||||||
|
CURLOPT_PROXY_TLS13_CIPHERS \- ciphers suites for proxy TLS 1.3
|
||||||
|
.SH SYNOPSIS
|
||||||
|
#include <curl/curl.h>
|
||||||
|
|
||||||
|
CURLcode curl_easy_setopt(CURL *handle, CURLOPT_PROXY_TLS13_CIPHERS, char *list);
|
||||||
|
.SH DESCRIPTION
|
||||||
|
Pass a char *, pointing to a zero terminated string holding the list of cipher
|
||||||
|
suites to use for the TLS 1.3 connection to a proxy. The list must be
|
||||||
|
syntactically correct, it consists of one or more cipher suite strings
|
||||||
|
separated by colons.
|
||||||
|
|
||||||
|
You'll find more details about cipher lists on this URL:
|
||||||
|
|
||||||
|
https://curl.haxx.se/docs/ssl-ciphers.html
|
||||||
|
|
||||||
|
The application does not have to keep the string around after setting this
|
||||||
|
option.
|
||||||
|
.SH DEFAULT
|
||||||
|
NULL, use internal default
|
||||||
|
.SH PROTOCOLS
|
||||||
|
All TLS based protocols: HTTPS, FTPS, IMAPS, POP3S, SMTPS etc.
|
||||||
|
.SH EXAMPLE
|
||||||
|
.nf
|
||||||
|
CURL *curl = curl_easy_init();
|
||||||
|
if(curl) {
|
||||||
|
curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/");
|
||||||
|
curl_easy_setopt(curl, CURLOPT_PROXY_TLS13_CIPHERS,
|
||||||
|
"TLS13-CHACHA20-POLY1305-SHA256");
|
||||||
|
ret = curl_easy_perform(curl);
|
||||||
|
curl_easy_cleanup(curl);
|
||||||
|
}
|
||||||
|
.fi
|
||||||
|
.SH AVAILABILITY
|
||||||
|
Added in 7.61.0.
|
||||||
|
Available when built with OpenSSL >= 1.1.1.
|
||||||
|
.SH RETURN VALUE
|
||||||
|
Returns CURLE_OK if supported, CURLE_NOT_BUILT_IN otherwise.
|
||||||
|
.SH "SEE ALSO"
|
||||||
|
.BR CURLOPT_SSLVERSION "(3), " CURLOPT_TLS13_CIPHERS "(3), "
|
62
docs/libcurl/opts/CURLOPT_TLS13_CIPHERS.3
Normal file
62
docs/libcurl/opts/CURLOPT_TLS13_CIPHERS.3
Normal file
@ -0,0 +1,62 @@
|
|||||||
|
.\" **************************************************************************
|
||||||
|
.\" * _ _ ____ _
|
||||||
|
.\" * Project ___| | | | _ \| |
|
||||||
|
.\" * / __| | | | |_) | |
|
||||||
|
.\" * | (__| |_| | _ <| |___
|
||||||
|
.\" * \___|\___/|_| \_\_____|
|
||||||
|
.\" *
|
||||||
|
.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||||
|
.\" *
|
||||||
|
.\" * This software is licensed as described in the file COPYING, which
|
||||||
|
.\" * you should have received as part of this distribution. The terms
|
||||||
|
.\" * are also available at https://curl.haxx.se/docs/copyright.html.
|
||||||
|
.\" *
|
||||||
|
.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
|
||||||
|
.\" * copies of the Software, and permit persons to whom the Software is
|
||||||
|
.\" * furnished to do so, under the terms of the COPYING file.
|
||||||
|
.\" *
|
||||||
|
.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
|
||||||
|
.\" * KIND, either express or implied.
|
||||||
|
.\" *
|
||||||
|
.\" **************************************************************************
|
||||||
|
.\"
|
||||||
|
.TH CURLOPT_TLS13_CIPHERS 3 "25 May 2018" "libcurl 7.61.0" "curl_easy_setopt options"
|
||||||
|
.SH NAME
|
||||||
|
CURLOPT_TLS13_CIPHERS \- specify ciphers suites to use for TLS 1.3
|
||||||
|
.SH SYNOPSIS
|
||||||
|
#include <curl/curl.h>
|
||||||
|
|
||||||
|
CURLcode curl_easy_setopt(CURL *handle, CURLOPT_TLS13_CIPHERS, char *list);
|
||||||
|
.SH DESCRIPTION
|
||||||
|
Pass a char *, pointing to a zero terminated string holding the list of cipher
|
||||||
|
suites to use for the TLS 1.3 connection. The list must be syntactically
|
||||||
|
correct, it consists of one or more cipher suite strings separated by colons.
|
||||||
|
|
||||||
|
You'll find more details about cipher lists on this URL:
|
||||||
|
|
||||||
|
https://curl.haxx.se/docs/ssl-ciphers.html
|
||||||
|
|
||||||
|
The application does not have to keep the string around after setting this
|
||||||
|
option.
|
||||||
|
.SH DEFAULT
|
||||||
|
NULL, use internal default
|
||||||
|
.SH PROTOCOLS
|
||||||
|
All TLS based protocols: HTTPS, FTPS, IMAPS, POP3S, SMTPS etc.
|
||||||
|
.SH EXAMPLE
|
||||||
|
.nf
|
||||||
|
CURL *curl = curl_easy_init();
|
||||||
|
if(curl) {
|
||||||
|
curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/");
|
||||||
|
curl_easy_setopt(curl, CURLOPT_TLS13_CIPHERS,
|
||||||
|
"TLS13-CHACHA20-POLY1305-SHA256");
|
||||||
|
ret = curl_easy_perform(curl);
|
||||||
|
curl_easy_cleanup(curl);
|
||||||
|
}
|
||||||
|
.fi
|
||||||
|
.SH AVAILABILITY
|
||||||
|
Added in 7.61.0.
|
||||||
|
Available when built with OpenSSL >= 1.1.1.
|
||||||
|
.SH RETURN VALUE
|
||||||
|
Returns CURLE_OK if supported, CURLE_NOT_BUILT_IN otherwise.
|
||||||
|
.SH "SEE ALSO"
|
||||||
|
.BR CURLOPT_SSLVERSION "(3), " CURLOPT_PROXY_TLS13_CIPHERS "(3), "
|
@ -237,6 +237,7 @@ man_MANS = \
|
|||||||
CURLOPT_PROXY_SSL_OPTIONS.3 \
|
CURLOPT_PROXY_SSL_OPTIONS.3 \
|
||||||
CURLOPT_PROXY_SSL_VERIFYHOST.3 \
|
CURLOPT_PROXY_SSL_VERIFYHOST.3 \
|
||||||
CURLOPT_PROXY_SSL_VERIFYPEER.3 \
|
CURLOPT_PROXY_SSL_VERIFYPEER.3 \
|
||||||
|
CURLOPT_PROXY_TLS13_CIPHERS.3 \
|
||||||
CURLOPT_PROXY_TLSAUTH_PASSWORD.3 \
|
CURLOPT_PROXY_TLSAUTH_PASSWORD.3 \
|
||||||
CURLOPT_PROXY_TLSAUTH_TYPE.3 \
|
CURLOPT_PROXY_TLSAUTH_TYPE.3 \
|
||||||
CURLOPT_PROXY_TLSAUTH_USERNAME.3 \
|
CURLOPT_PROXY_TLSAUTH_USERNAME.3 \
|
||||||
@ -315,6 +316,7 @@ man_MANS = \
|
|||||||
CURLOPT_TIMEOUT_MS.3 \
|
CURLOPT_TIMEOUT_MS.3 \
|
||||||
CURLOPT_TIMEVALUE.3 \
|
CURLOPT_TIMEVALUE.3 \
|
||||||
CURLOPT_TIMEVALUE_LARGE.3 \
|
CURLOPT_TIMEVALUE_LARGE.3 \
|
||||||
|
CURLOPT_TLS13_CIPHERS.3 \
|
||||||
CURLOPT_TLSAUTH_PASSWORD.3 \
|
CURLOPT_TLSAUTH_PASSWORD.3 \
|
||||||
CURLOPT_TLSAUTH_TYPE.3 \
|
CURLOPT_TLSAUTH_TYPE.3 \
|
||||||
CURLOPT_TLSAUTH_USERNAME.3 \
|
CURLOPT_TLSAUTH_USERNAME.3 \
|
||||||
|
@ -101,8 +101,8 @@ CURLE_PEER_FAILED_VERIFICATION 7.17.1
|
|||||||
CURLE_QUOTE_ERROR 7.17.0
|
CURLE_QUOTE_ERROR 7.17.0
|
||||||
CURLE_RANGE_ERROR 7.17.0
|
CURLE_RANGE_ERROR 7.17.0
|
||||||
CURLE_READ_ERROR 7.1
|
CURLE_READ_ERROR 7.1
|
||||||
CURLE_RECV_ERROR 7.10
|
|
||||||
CURLE_RECURSIVE_API_CALL 7.59.0
|
CURLE_RECURSIVE_API_CALL 7.59.0
|
||||||
|
CURLE_RECV_ERROR 7.10
|
||||||
CURLE_REMOTE_ACCESS_DENIED 7.17.0
|
CURLE_REMOTE_ACCESS_DENIED 7.17.0
|
||||||
CURLE_REMOTE_DISK_FULL 7.17.0
|
CURLE_REMOTE_DISK_FULL 7.17.0
|
||||||
CURLE_REMOTE_FILE_EXISTS 7.17.0
|
CURLE_REMOTE_FILE_EXISTS 7.17.0
|
||||||
@ -514,6 +514,7 @@ CURLOPT_PROXY_SSL_CIPHER_LIST 7.52.0
|
|||||||
CURLOPT_PROXY_SSL_OPTIONS 7.52.0
|
CURLOPT_PROXY_SSL_OPTIONS 7.52.0
|
||||||
CURLOPT_PROXY_SSL_VERIFYHOST 7.52.0
|
CURLOPT_PROXY_SSL_VERIFYHOST 7.52.0
|
||||||
CURLOPT_PROXY_SSL_VERIFYPEER 7.52.0
|
CURLOPT_PROXY_SSL_VERIFYPEER 7.52.0
|
||||||
|
CURLOPT_PROXY_TLS13_CIPHERS 7.61.0
|
||||||
CURLOPT_PROXY_TLSAUTH_PASSWORD 7.52.0
|
CURLOPT_PROXY_TLSAUTH_PASSWORD 7.52.0
|
||||||
CURLOPT_PROXY_TLSAUTH_TYPE 7.52.0
|
CURLOPT_PROXY_TLSAUTH_TYPE 7.52.0
|
||||||
CURLOPT_PROXY_TLSAUTH_USERNAME 7.52.0
|
CURLOPT_PROXY_TLSAUTH_USERNAME 7.52.0
|
||||||
@ -528,6 +529,8 @@ CURLOPT_REDIR_PROTOCOLS 7.19.4
|
|||||||
CURLOPT_REFERER 7.1
|
CURLOPT_REFERER 7.1
|
||||||
CURLOPT_REQUEST_TARGET 7.55.0
|
CURLOPT_REQUEST_TARGET 7.55.0
|
||||||
CURLOPT_RESOLVE 7.21.3
|
CURLOPT_RESOLVE 7.21.3
|
||||||
|
CURLOPT_RESOLVER_START_DATA 7.59.0
|
||||||
|
CURLOPT_RESOLVER_START_FUNCTION 7.59.0
|
||||||
CURLOPT_RESUME_FROM 7.1
|
CURLOPT_RESUME_FROM 7.1
|
||||||
CURLOPT_RESUME_FROM_LARGE 7.11.0
|
CURLOPT_RESUME_FROM_LARGE 7.11.0
|
||||||
CURLOPT_RTSPHEADER 7.20.0
|
CURLOPT_RTSPHEADER 7.20.0
|
||||||
@ -602,13 +605,12 @@ CURLOPT_TIMEOUT 7.1
|
|||||||
CURLOPT_TIMEOUT_MS 7.16.2
|
CURLOPT_TIMEOUT_MS 7.16.2
|
||||||
CURLOPT_TIMEVALUE 7.1
|
CURLOPT_TIMEVALUE 7.1
|
||||||
CURLOPT_TIMEVALUE_LARGE 7.59.0
|
CURLOPT_TIMEVALUE_LARGE 7.59.0
|
||||||
|
CURLOPT_TLS13_CIPHERS 7.61.0
|
||||||
CURLOPT_TLSAUTH_PASSWORD 7.21.4
|
CURLOPT_TLSAUTH_PASSWORD 7.21.4
|
||||||
CURLOPT_TLSAUTH_TYPE 7.21.4
|
CURLOPT_TLSAUTH_TYPE 7.21.4
|
||||||
CURLOPT_TLSAUTH_USERNAME 7.21.4
|
CURLOPT_TLSAUTH_USERNAME 7.21.4
|
||||||
CURLOPT_TRANSFERTEXT 7.1.1
|
CURLOPT_TRANSFERTEXT 7.1.1
|
||||||
CURLOPT_TRANSFER_ENCODING 7.21.6
|
CURLOPT_TRANSFER_ENCODING 7.21.6
|
||||||
CURLOPT_RESOLVER_START_FUNCTION 7.59.0
|
|
||||||
CURLOPT_RESOLVER_START_DATA 7.59.0
|
|
||||||
CURLOPT_UNIX_SOCKET_PATH 7.40.0
|
CURLOPT_UNIX_SOCKET_PATH 7.40.0
|
||||||
CURLOPT_UNRESTRICTED_AUTH 7.10.4
|
CURLOPT_UNRESTRICTED_AUTH 7.10.4
|
||||||
CURLOPT_UPLOAD 7.1
|
CURLOPT_UPLOAD 7.1
|
||||||
|
@ -1849,6 +1849,10 @@ typedef enum {
|
|||||||
/* shuffle addresses before use when DNS returns multiple */
|
/* shuffle addresses before use when DNS returns multiple */
|
||||||
CINIT(DNS_SHUFFLE_ADDRESSES, LONG, 275),
|
CINIT(DNS_SHUFFLE_ADDRESSES, LONG, 275),
|
||||||
|
|
||||||
|
/* Specify which TLS 1.3 ciphers suites to use */
|
||||||
|
CINIT(TLS13_CIPHERS, STRINGPOINT, 276),
|
||||||
|
CINIT(PROXY_TLS13_CIPHERS, STRINGPOINT, 277),
|
||||||
|
|
||||||
CURLOPT_LASTENTRY /* the last unused */
|
CURLOPT_LASTENTRY /* the last unused */
|
||||||
} CURLoption;
|
} CURLoption;
|
||||||
|
|
||||||
|
19
lib/setopt.c
19
lib/setopt.c
@ -142,6 +142,25 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
|
|||||||
va_arg(param, char *));
|
va_arg(param, char *));
|
||||||
break;
|
break;
|
||||||
|
|
||||||
|
case CURLOPT_TLS13_CIPHERS:
|
||||||
|
if(Curl_ssl_tls13_ciphersuites()) {
|
||||||
|
/* set preferred list of TLS 1.3 cipher suites */
|
||||||
|
result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER13_LIST_ORIG],
|
||||||
|
va_arg(param, char *));
|
||||||
|
}
|
||||||
|
else
|
||||||
|
return CURLE_NOT_BUILT_IN;
|
||||||
|
break;
|
||||||
|
case CURLOPT_PROXY_TLS13_CIPHERS:
|
||||||
|
if(Curl_ssl_tls13_ciphersuites()) {
|
||||||
|
/* set preferred list of TLS 1.3 cipher suites for proxy */
|
||||||
|
result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER13_LIST_PROXY],
|
||||||
|
va_arg(param, char *));
|
||||||
|
}
|
||||||
|
else
|
||||||
|
return CURLE_NOT_BUILT_IN;
|
||||||
|
break;
|
||||||
|
|
||||||
case CURLOPT_RANDOM_FILE:
|
case CURLOPT_RANDOM_FILE:
|
||||||
/*
|
/*
|
||||||
* This is the path name to a file that contains random data to seed
|
* This is the path name to a file that contains random data to seed
|
||||||
|
@ -227,6 +227,7 @@ struct ssl_primary_config {
|
|||||||
char *random_file; /* path to file containing "random" data */
|
char *random_file; /* path to file containing "random" data */
|
||||||
char *egdsocket; /* path to file containing the EGD daemon socket */
|
char *egdsocket; /* path to file containing the EGD daemon socket */
|
||||||
char *cipher_list; /* list of ciphers to use */
|
char *cipher_list; /* list of ciphers to use */
|
||||||
|
char *cipher_list13; /* list of TLS 1.3 cipher suites to use */
|
||||||
};
|
};
|
||||||
|
|
||||||
struct ssl_config_data {
|
struct ssl_config_data {
|
||||||
@ -1401,6 +1402,8 @@ enum dupstring {
|
|||||||
STRING_SSL_PINNEDPUBLICKEY_PROXY, /* public key file to verify proxy */
|
STRING_SSL_PINNEDPUBLICKEY_PROXY, /* public key file to verify proxy */
|
||||||
STRING_SSL_CIPHER_LIST_ORIG, /* list of ciphers to use */
|
STRING_SSL_CIPHER_LIST_ORIG, /* list of ciphers to use */
|
||||||
STRING_SSL_CIPHER_LIST_PROXY, /* list of ciphers to use */
|
STRING_SSL_CIPHER_LIST_PROXY, /* list of ciphers to use */
|
||||||
|
STRING_SSL_CIPHER13_LIST_ORIG, /* list of TLS 1.3 ciphers to use */
|
||||||
|
STRING_SSL_CIPHER13_LIST_PROXY, /* list of TLS 1.3 ciphers to use */
|
||||||
STRING_SSL_EGDSOCKET, /* path to file containing the EGD daemon socket */
|
STRING_SSL_EGDSOCKET, /* path to file containing the EGD daemon socket */
|
||||||
STRING_SSL_RANDOM_FILE, /* path to file containing "random" data */
|
STRING_SSL_RANDOM_FILE, /* path to file containing "random" data */
|
||||||
STRING_USERAGENT, /* User-Agent string */
|
STRING_USERAGENT, /* User-Agent string */
|
||||||
|
@ -166,6 +166,17 @@ static unsigned long OpenSSL_version_num(void)
|
|||||||
#define HAVE_KEYLOG_CALLBACK
|
#define HAVE_KEYLOG_CALLBACK
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
/* Whether SSL_CTX_set_ciphersuites is available.
|
||||||
|
* OpenSSL: supported since 1.1.1 (commit a53b5be6a05)
|
||||||
|
* BoringSSL: no
|
||||||
|
* LibreSSL: no
|
||||||
|
*/
|
||||||
|
#if ((OPENSSL_VERSION_NUMBER >= 0x10101000L) && \
|
||||||
|
!defined(LIBRESSL_VERSION_NUMBER) && \
|
||||||
|
!defined(OPENSSL_IS_BORINGSSL))
|
||||||
|
#define HAVE_SSL_CTX_SET_CIPHERSUITES
|
||||||
|
#endif
|
||||||
|
|
||||||
#if defined(LIBRESSL_VERSION_NUMBER)
|
#if defined(LIBRESSL_VERSION_NUMBER)
|
||||||
#define OSSL_PACKAGE "LibreSSL"
|
#define OSSL_PACKAGE "LibreSSL"
|
||||||
#elif defined(OPENSSL_IS_BORINGSSL)
|
#elif defined(OPENSSL_IS_BORINGSSL)
|
||||||
@ -2413,6 +2424,19 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
|
|||||||
infof(data, "Cipher selection: %s\n", ciphers);
|
infof(data, "Cipher selection: %s\n", ciphers);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
|
||||||
|
{
|
||||||
|
char *ciphers13 = SSL_CONN_CONFIG(cipher_list13);
|
||||||
|
if(ciphers13) {
|
||||||
|
if(!SSL_CTX_set_ciphersuites(BACKEND->ctx, ciphers13)) {
|
||||||
|
failf(data, "failed setting TLS 1.3 cipher suite: %s", ciphers);
|
||||||
|
return CURLE_SSL_CIPHER;
|
||||||
|
}
|
||||||
|
infof(data, "TLS 1.3 cipher selection: %s\n", ciphers13);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
#ifdef USE_TLS_SRP
|
#ifdef USE_TLS_SRP
|
||||||
if(ssl_authtype == CURL_TLSAUTH_SRP) {
|
if(ssl_authtype == CURL_TLSAUTH_SRP) {
|
||||||
char * const ssl_username = SSL_SET_OPTION(username);
|
char * const ssl_username = SSL_SET_OPTION(username);
|
||||||
|
@ -979,6 +979,14 @@ bool Curl_ssl_false_start(void)
|
|||||||
return Curl_ssl->false_start();
|
return Curl_ssl->false_start();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Check whether the SSL backend supports setting TLS 1.3 cipher suites
|
||||||
|
*/
|
||||||
|
bool Curl_ssl_tls13_ciphersuites(void)
|
||||||
|
{
|
||||||
|
return Curl_ssl->supports & SSLSUPP_TLS13_CIPHERSUITES;
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Default implementations for unsupported functions.
|
* Default implementations for unsupported functions.
|
||||||
*/
|
*/
|
||||||
|
@ -31,6 +31,7 @@ struct ssl_connect_data;
|
|||||||
#define SSLSUPP_PINNEDPUBKEY (1<<2) /* supports CURLOPT_PINNEDPUBLICKEY */
|
#define SSLSUPP_PINNEDPUBKEY (1<<2) /* supports CURLOPT_PINNEDPUBLICKEY */
|
||||||
#define SSLSUPP_SSL_CTX (1<<3) /* supports CURLOPT_SSL_CTX */
|
#define SSLSUPP_SSL_CTX (1<<3) /* supports CURLOPT_SSL_CTX */
|
||||||
#define SSLSUPP_HTTPS_PROXY (1<<4) /* supports access via HTTPS proxies */
|
#define SSLSUPP_HTTPS_PROXY (1<<4) /* supports access via HTTPS proxies */
|
||||||
|
#define SSLSUPP_TLS13_CIPHERSUITES (1<<5) /* supports TLS 1.3 ciphersuites */
|
||||||
|
|
||||||
struct Curl_ssl {
|
struct Curl_ssl {
|
||||||
/*
|
/*
|
||||||
@ -93,6 +94,7 @@ CURLcode Curl_none_set_engine(struct Curl_easy *data, const char *engine);
|
|||||||
CURLcode Curl_none_set_engine_default(struct Curl_easy *data);
|
CURLcode Curl_none_set_engine_default(struct Curl_easy *data);
|
||||||
struct curl_slist *Curl_none_engines_list(struct Curl_easy *data);
|
struct curl_slist *Curl_none_engines_list(struct Curl_easy *data);
|
||||||
bool Curl_none_false_start(void);
|
bool Curl_none_false_start(void);
|
||||||
|
bool Curl_ssl_tls13_ciphersuites(void);
|
||||||
CURLcode Curl_none_md5sum(unsigned char *input, size_t inputlen,
|
CURLcode Curl_none_md5sum(unsigned char *input, size_t inputlen,
|
||||||
unsigned char *md5sum, size_t md5len);
|
unsigned char *md5sum, size_t md5len);
|
||||||
|
|
||||||
@ -246,7 +248,7 @@ bool Curl_ssl_false_start(void);
|
|||||||
|
|
||||||
#define SSL_SHUTDOWN_TIMEOUT 10000 /* ms */
|
#define SSL_SHUTDOWN_TIMEOUT 10000 /* ms */
|
||||||
|
|
||||||
#else
|
#else /* if not USE_SSL */
|
||||||
|
|
||||||
/* When SSL support is not present, just define away these function calls */
|
/* When SSL support is not present, just define away these function calls */
|
||||||
#define Curl_ssl_init() 1
|
#define Curl_ssl_init() 1
|
||||||
@ -270,6 +272,7 @@ bool Curl_ssl_false_start(void);
|
|||||||
#define Curl_ssl_random(x,y,z) ((void)x, CURLE_NOT_BUILT_IN)
|
#define Curl_ssl_random(x,y,z) ((void)x, CURLE_NOT_BUILT_IN)
|
||||||
#define Curl_ssl_cert_status_request() FALSE
|
#define Curl_ssl_cert_status_request() FALSE
|
||||||
#define Curl_ssl_false_start() FALSE
|
#define Curl_ssl_false_start() FALSE
|
||||||
|
#define Curl_ssl_tls13_ciphersuites() FALSE
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#endif /* HEADER_CURL_VTLS_H */
|
#endif /* HEADER_CURL_VTLS_H */
|
||||||
|
@ -117,6 +117,8 @@ struct OperationConfig {
|
|||||||
struct getout *url_ul; /* point to the node to fill in upload */
|
struct getout *url_ul; /* point to the node to fill in upload */
|
||||||
char *cipher_list;
|
char *cipher_list;
|
||||||
char *proxy_cipher_list;
|
char *proxy_cipher_list;
|
||||||
|
char *cipher13_list;
|
||||||
|
char *proxy_cipher13_list;
|
||||||
char *cert;
|
char *cert;
|
||||||
char *proxy_cert;
|
char *proxy_cert;
|
||||||
char *cert_type;
|
char *cert_type;
|
||||||
|
@ -201,6 +201,8 @@ static const struct LongShort aliases[]= {
|
|||||||
{"11", "tlsv1.1", ARG_NONE},
|
{"11", "tlsv1.1", ARG_NONE},
|
||||||
{"12", "tlsv1.2", ARG_NONE},
|
{"12", "tlsv1.2", ARG_NONE},
|
||||||
{"13", "tlsv1.3", ARG_NONE},
|
{"13", "tlsv1.3", ARG_NONE},
|
||||||
|
{"1A", "tls13-ciphers", ARG_STRING},
|
||||||
|
{"1B", "proxy-tls13-ciphers", ARG_STRING},
|
||||||
{"2", "sslv2", ARG_NONE},
|
{"2", "sslv2", ARG_NONE},
|
||||||
{"3", "sslv3", ARG_NONE},
|
{"3", "sslv3", ARG_NONE},
|
||||||
{"4", "ipv4", ARG_NONE},
|
{"4", "ipv4", ARG_NONE},
|
||||||
@ -1177,6 +1179,12 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
|
|||||||
/* TLS version 1.3 */
|
/* TLS version 1.3 */
|
||||||
config->ssl_version = CURL_SSLVERSION_TLSv1_3;
|
config->ssl_version = CURL_SSLVERSION_TLSv1_3;
|
||||||
break;
|
break;
|
||||||
|
case 'A': /* --tls13-ciphers */
|
||||||
|
GetStr(&config->cipher13_list, nextarg);
|
||||||
|
break;
|
||||||
|
case 'B': /* --proxy-tls13-ciphers */
|
||||||
|
GetStr(&config->proxy_cipher13_list, nextarg);
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case '2':
|
case '2':
|
||||||
|
@ -160,12 +160,12 @@ static const struct helptxt helptext[] = {
|
|||||||
"Put the post data in the URL and use GET"},
|
"Put the post data in the URL and use GET"},
|
||||||
{"-g, --globoff",
|
{"-g, --globoff",
|
||||||
"Disable URL sequences and ranges using {} and []"},
|
"Disable URL sequences and ranges using {} and []"},
|
||||||
{" --happy-eyeballs-timeout-ms",
|
{" --happy-eyeballs-timeout-ms <milliseconds>",
|
||||||
"How long to wait in milliseconds for IPv6 before trying IPv4"},
|
"How long to wait in milliseconds for IPv6 before trying IPv4"},
|
||||||
{"-I, --head",
|
|
||||||
"Show document info only"},
|
|
||||||
{" --haproxy-protocol",
|
{" --haproxy-protocol",
|
||||||
"Send HAProxy PROXY protocol v1 header"},
|
"Send HAProxy PROXY protocol v1 header"},
|
||||||
|
{"-I, --head",
|
||||||
|
"Show document info only"},
|
||||||
{"-H, --header <header/@file>",
|
{"-H, --header <header/@file>",
|
||||||
"Pass custom header(s) to server"},
|
"Pass custom header(s) to server"},
|
||||||
{"-h, --help",
|
{"-h, --help",
|
||||||
@ -297,7 +297,7 @@ static const struct helptxt helptext[] = {
|
|||||||
{" --proxy-cert <cert[:passwd]>",
|
{" --proxy-cert <cert[:passwd]>",
|
||||||
"Set client certificate for proxy"},
|
"Set client certificate for proxy"},
|
||||||
{" --proxy-cert-type <type>",
|
{" --proxy-cert-type <type>",
|
||||||
"Client certificate type for HTTS proxy"},
|
"Client certificate type for HTTPS proxy"},
|
||||||
{" --proxy-ciphers <list>",
|
{" --proxy-ciphers <list>",
|
||||||
"SSL ciphers to use for proxy"},
|
"SSL ciphers to use for proxy"},
|
||||||
{" --proxy-crlfile <file>",
|
{" --proxy-crlfile <file>",
|
||||||
@ -324,6 +324,8 @@ static const struct helptxt helptext[] = {
|
|||||||
"SPNEGO proxy service name"},
|
"SPNEGO proxy service name"},
|
||||||
{" --proxy-ssl-allow-beast",
|
{" --proxy-ssl-allow-beast",
|
||||||
"Allow security flaw for interop for HTTPS proxy"},
|
"Allow security flaw for interop for HTTPS proxy"},
|
||||||
|
{" --proxy-tls13-ciphers <ciphersuite list>",
|
||||||
|
"TLS 1.3 proxy cipher suites"},
|
||||||
{" --proxy-tlsauthtype <type>",
|
{" --proxy-tlsauthtype <type>",
|
||||||
"TLS authentication type for HTTPS proxy"},
|
"TLS authentication type for HTTPS proxy"},
|
||||||
{" --proxy-tlspassword <string>",
|
{" --proxy-tlspassword <string>",
|
||||||
@ -337,7 +339,7 @@ static const struct helptxt helptext[] = {
|
|||||||
{" --proxy1.0 <host[:port]>",
|
{" --proxy1.0 <host[:port]>",
|
||||||
"Use HTTP/1.0 proxy on given port"},
|
"Use HTTP/1.0 proxy on given port"},
|
||||||
{"-p, --proxytunnel",
|
{"-p, --proxytunnel",
|
||||||
"Operate through a HTTP proxy tunnel (using CONNECT)"},
|
"Operate through an HTTP proxy tunnel (using CONNECT)"},
|
||||||
{" --pubkey <key>",
|
{" --pubkey <key>",
|
||||||
"SSH Public key file name"},
|
"SSH Public key file name"},
|
||||||
{"-Q, --quote",
|
{"-Q, --quote",
|
||||||
@ -362,7 +364,7 @@ static const struct helptxt helptext[] = {
|
|||||||
"Specify request command to use"},
|
"Specify request command to use"},
|
||||||
{" --request-target",
|
{" --request-target",
|
||||||
"Specify the target for this request"},
|
"Specify the target for this request"},
|
||||||
{" --resolve <host:port:address>",
|
{" --resolve <host:port:address[,address]...>",
|
||||||
"Resolve the host+port to this address"},
|
"Resolve the host+port to this address"},
|
||||||
{" --retry <num>",
|
{" --retry <num>",
|
||||||
"Retry request if transient problems occur"},
|
"Retry request if transient problems occur"},
|
||||||
@ -432,6 +434,8 @@ static const struct helptxt helptext[] = {
|
|||||||
"Transfer based on a time condition"},
|
"Transfer based on a time condition"},
|
||||||
{" --tls-max <VERSION>",
|
{" --tls-max <VERSION>",
|
||||||
"Use TLSv1.0 or greater"},
|
"Use TLSv1.0 or greater"},
|
||||||
|
{" --tls13-ciphers <list of TLS 1.3 ciphersuites>",
|
||||||
|
"TLS 1.3 cipher suites to use"},
|
||||||
{" --tlsauthtype <type>",
|
{" --tlsauthtype <type>",
|
||||||
"TLS authentication type"},
|
"TLS authentication type"},
|
||||||
{" --tlspassword",
|
{" --tlspassword",
|
||||||
|
@ -1216,6 +1216,13 @@ static CURLcode operate_do(struct GlobalConfig *global,
|
|||||||
my_setopt_str(curl, CURLOPT_PROXY_SSL_CIPHER_LIST,
|
my_setopt_str(curl, CURLOPT_PROXY_SSL_CIPHER_LIST,
|
||||||
config->proxy_cipher_list);
|
config->proxy_cipher_list);
|
||||||
|
|
||||||
|
if(config->cipher13_list)
|
||||||
|
my_setopt_str(curl, CURLOPT_TLS13_CIPHERS, config->cipher13_list);
|
||||||
|
|
||||||
|
if(config->proxy_cipher13_list)
|
||||||
|
my_setopt_str(curl, CURLOPT_PROXY_SSL_CIPHER_LIST,
|
||||||
|
config->proxy_cipher13_list);
|
||||||
|
|
||||||
/* new in libcurl 7.9.2: */
|
/* new in libcurl 7.9.2: */
|
||||||
if(config->disable_epsv)
|
if(config->disable_epsv)
|
||||||
/* disable it */
|
/* disable it */
|
||||||
|
Loading…
Reference in New Issue
Block a user