1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-23 08:38:49 -05:00

setopt: add TLS 1.3 ciphersuites

Adds CURLOPT_TLS13_CIPHERS and CURLOPT_PROXY_TLS13_CIPHERS.

curl: added --tls13-ciphers and --proxy-tls13-ciphers

Fixes #2435
Reported-by: zzq1015 on github
Closes #2607
This commit is contained in:
Daniel Stenberg 2018-05-29 16:12:52 +02:00
parent 5005ade2ce
commit 050c93c46f
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
19 changed files with 260 additions and 11 deletions

View File

@ -142,6 +142,16 @@ libcurl was built to use. This is an attempt to list known cipher names.
`ECDHE-RSA-CAMELLIA128-SHA256` `ECDHE-RSA-CAMELLIA128-SHA256`
`ECDHE-RSA-CAMELLIA256-SHA384` `ECDHE-RSA-CAMELLIA256-SHA384`
### TLS 1.3 cipher suites
(Note: the TLS 1.3 cipher suites are set with a separate option.)
`TLS13-AES-256-GCM-SHA384`
`TLS13-CHACHA20-POLY1305-SHA256`
`TLS13-AES-128-GCM-SHA256`
`TLS13-AES-128-CCM-8-SHA256`
`TLS13-AES-128-CCM-SHA256`
## NSS ## NSS
### Totally insecure ### Totally insecure

View File

@ -47,6 +47,6 @@ DPAGES = abstract-unix-socket.d anyauth.d append.d basic.d cacert.d capath.d cer
tlsv1.3.d tlsv1.d trace-ascii.d trace.d trace-time.d tr-encoding.d \ tlsv1.3.d tlsv1.d trace-ascii.d trace.d trace-time.d tr-encoding.d \
unix-socket.d upload-file.d url.d use-ascii.d user-agent.d user.d \ unix-socket.d upload-file.d url.d use-ascii.d user-agent.d user.d \
verbose.d version.d write-out.d xattr.d request-target.d \ verbose.d version.d write-out.d xattr.d request-target.d \
styled-output.d styled-output.d tls13-ciphers.d proxy-tls13-ciphers.d
OTHERPAGES = page-footer page-header OTHERPAGES = page-footer page-header

View File

@ -0,0 +1,12 @@
Long: proxy-tls13-ciphers
Arg: <ciphersuite list>
help: TLS 1.3 proxy cipher suites
Protocols: TLS
---
Specifies which cipher suites to use in the connection to your HTTPS proxy
when it negotiates TLS 1.3. The list of ciphers suites must specify valid
ciphers. Read up on TLS 1.3 cipher suite details on this URL:
https://curl.haxx.se/docs/ssl-ciphers.html
If this option is used several times, the last one will be used.

View File

@ -0,0 +1,12 @@
Long: tls13-ciphers
Arg: <list of TLS 1.3 ciphersuites>
help: TLS 1.3 cipher suites to use
Protocols: TLS
---
Specifies which cipher suites to use in the connection if it negotiates TLS
1.3. The list of ciphers suites must specify valid ciphers. Read up on TLS 1.3
cipher suite details on this URL:
https://curl.haxx.se/docs/ssl-ciphers.html
If this option is used several times, the last one will be used.

View File

@ -548,6 +548,10 @@ Identify EGD socket for entropy. See \fICURLOPT_EGDSOCKET(3)\fP
Ciphers to use. See \fICURLOPT_SSL_CIPHER_LIST(3)\fP Ciphers to use. See \fICURLOPT_SSL_CIPHER_LIST(3)\fP
.IP CURLOPT_PROXY_SSL_CIPHER_LIST .IP CURLOPT_PROXY_SSL_CIPHER_LIST
Proxy ciphers to use. See \fICURLOPT_PROXY_SSL_CIPHER_LIST(3)\fP Proxy ciphers to use. See \fICURLOPT_PROXY_SSL_CIPHER_LIST(3)\fP
.IP CURLOPT_TLS13_CIPHERS
TLS 1.3 cipher suites to use. See \fICURLOPT_TLS13_CIPHERS(3)\fP
.IP CURLOPT_PROXY_TLS13_CIPHERS
Proxy TLS 1.3 cipher suites to use. See \fICURLOPT_PROXY_TLS13_CIPHERS(3)\fP
.IP CURLOPT_SSL_SESSIONID_CACHE .IP CURLOPT_SSL_SESSIONID_CACHE
Disable SSL session-id cache. See \fICURLOPT_SSL_SESSIONID_CACHE(3)\fP Disable SSL session-id cache. See \fICURLOPT_SSL_SESSIONID_CACHE(3)\fP
.IP CURLOPT_SSL_OPTIONS .IP CURLOPT_SSL_OPTIONS

View File

@ -0,0 +1,63 @@
.\" **************************************************************************
.\" * _ _ ____ _
.\" * Project ___| | | | _ \| |
.\" * / __| | | | |_) | |
.\" * | (__| |_| | _ <| |___
.\" * \___|\___/|_| \_\_____|
.\" *
.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
.\" *
.\" * This software is licensed as described in the file COPYING, which
.\" * you should have received as part of this distribution. The terms
.\" * are also available at https://curl.haxx.se/docs/copyright.html.
.\" *
.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
.\" * copies of the Software, and permit persons to whom the Software is
.\" * furnished to do so, under the terms of the COPYING file.
.\" *
.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
.\" * KIND, either express or implied.
.\" *
.\" **************************************************************************
.\"
.TH CURLOPT_PROXY_TLS13_CIPHERS 3 "25 May 2018" "libcurl 7.61.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_TLS13_CIPHERS \- ciphers suites for proxy TLS 1.3
.SH SYNOPSIS
#include <curl/curl.h>
CURLcode curl_easy_setopt(CURL *handle, CURLOPT_PROXY_TLS13_CIPHERS, char *list);
.SH DESCRIPTION
Pass a char *, pointing to a zero terminated string holding the list of cipher
suites to use for the TLS 1.3 connection to a proxy. The list must be
syntactically correct, it consists of one or more cipher suite strings
separated by colons.
You'll find more details about cipher lists on this URL:
https://curl.haxx.se/docs/ssl-ciphers.html
The application does not have to keep the string around after setting this
option.
.SH DEFAULT
NULL, use internal default
.SH PROTOCOLS
All TLS based protocols: HTTPS, FTPS, IMAPS, POP3S, SMTPS etc.
.SH EXAMPLE
.nf
CURL *curl = curl_easy_init();
if(curl) {
curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/");
curl_easy_setopt(curl, CURLOPT_PROXY_TLS13_CIPHERS,
"TLS13-CHACHA20-POLY1305-SHA256");
ret = curl_easy_perform(curl);
curl_easy_cleanup(curl);
}
.fi
.SH AVAILABILITY
Added in 7.61.0.
Available when built with OpenSSL >= 1.1.1.
.SH RETURN VALUE
Returns CURLE_OK if supported, CURLE_NOT_BUILT_IN otherwise.
.SH "SEE ALSO"
.BR CURLOPT_SSLVERSION "(3), " CURLOPT_TLS13_CIPHERS "(3), "

View File

@ -0,0 +1,62 @@
.\" **************************************************************************
.\" * _ _ ____ _
.\" * Project ___| | | | _ \| |
.\" * / __| | | | |_) | |
.\" * | (__| |_| | _ <| |___
.\" * \___|\___/|_| \_\_____|
.\" *
.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
.\" *
.\" * This software is licensed as described in the file COPYING, which
.\" * you should have received as part of this distribution. The terms
.\" * are also available at https://curl.haxx.se/docs/copyright.html.
.\" *
.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
.\" * copies of the Software, and permit persons to whom the Software is
.\" * furnished to do so, under the terms of the COPYING file.
.\" *
.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
.\" * KIND, either express or implied.
.\" *
.\" **************************************************************************
.\"
.TH CURLOPT_TLS13_CIPHERS 3 "25 May 2018" "libcurl 7.61.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_TLS13_CIPHERS \- specify ciphers suites to use for TLS 1.3
.SH SYNOPSIS
#include <curl/curl.h>
CURLcode curl_easy_setopt(CURL *handle, CURLOPT_TLS13_CIPHERS, char *list);
.SH DESCRIPTION
Pass a char *, pointing to a zero terminated string holding the list of cipher
suites to use for the TLS 1.3 connection. The list must be syntactically
correct, it consists of one or more cipher suite strings separated by colons.
You'll find more details about cipher lists on this URL:
https://curl.haxx.se/docs/ssl-ciphers.html
The application does not have to keep the string around after setting this
option.
.SH DEFAULT
NULL, use internal default
.SH PROTOCOLS
All TLS based protocols: HTTPS, FTPS, IMAPS, POP3S, SMTPS etc.
.SH EXAMPLE
.nf
CURL *curl = curl_easy_init();
if(curl) {
curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/");
curl_easy_setopt(curl, CURLOPT_TLS13_CIPHERS,
"TLS13-CHACHA20-POLY1305-SHA256");
ret = curl_easy_perform(curl);
curl_easy_cleanup(curl);
}
.fi
.SH AVAILABILITY
Added in 7.61.0.
Available when built with OpenSSL >= 1.1.1.
.SH RETURN VALUE
Returns CURLE_OK if supported, CURLE_NOT_BUILT_IN otherwise.
.SH "SEE ALSO"
.BR CURLOPT_SSLVERSION "(3), " CURLOPT_PROXY_TLS13_CIPHERS "(3), "

View File

@ -237,6 +237,7 @@ man_MANS = \
CURLOPT_PROXY_SSL_OPTIONS.3 \ CURLOPT_PROXY_SSL_OPTIONS.3 \
CURLOPT_PROXY_SSL_VERIFYHOST.3 \ CURLOPT_PROXY_SSL_VERIFYHOST.3 \
CURLOPT_PROXY_SSL_VERIFYPEER.3 \ CURLOPT_PROXY_SSL_VERIFYPEER.3 \
CURLOPT_PROXY_TLS13_CIPHERS.3 \
CURLOPT_PROXY_TLSAUTH_PASSWORD.3 \ CURLOPT_PROXY_TLSAUTH_PASSWORD.3 \
CURLOPT_PROXY_TLSAUTH_TYPE.3 \ CURLOPT_PROXY_TLSAUTH_TYPE.3 \
CURLOPT_PROXY_TLSAUTH_USERNAME.3 \ CURLOPT_PROXY_TLSAUTH_USERNAME.3 \
@ -315,6 +316,7 @@ man_MANS = \
CURLOPT_TIMEOUT_MS.3 \ CURLOPT_TIMEOUT_MS.3 \
CURLOPT_TIMEVALUE.3 \ CURLOPT_TIMEVALUE.3 \
CURLOPT_TIMEVALUE_LARGE.3 \ CURLOPT_TIMEVALUE_LARGE.3 \
CURLOPT_TLS13_CIPHERS.3 \
CURLOPT_TLSAUTH_PASSWORD.3 \ CURLOPT_TLSAUTH_PASSWORD.3 \
CURLOPT_TLSAUTH_TYPE.3 \ CURLOPT_TLSAUTH_TYPE.3 \
CURLOPT_TLSAUTH_USERNAME.3 \ CURLOPT_TLSAUTH_USERNAME.3 \

View File

@ -101,8 +101,8 @@ CURLE_PEER_FAILED_VERIFICATION 7.17.1
CURLE_QUOTE_ERROR 7.17.0 CURLE_QUOTE_ERROR 7.17.0
CURLE_RANGE_ERROR 7.17.0 CURLE_RANGE_ERROR 7.17.0
CURLE_READ_ERROR 7.1 CURLE_READ_ERROR 7.1
CURLE_RECV_ERROR 7.10
CURLE_RECURSIVE_API_CALL 7.59.0 CURLE_RECURSIVE_API_CALL 7.59.0
CURLE_RECV_ERROR 7.10
CURLE_REMOTE_ACCESS_DENIED 7.17.0 CURLE_REMOTE_ACCESS_DENIED 7.17.0
CURLE_REMOTE_DISK_FULL 7.17.0 CURLE_REMOTE_DISK_FULL 7.17.0
CURLE_REMOTE_FILE_EXISTS 7.17.0 CURLE_REMOTE_FILE_EXISTS 7.17.0
@ -514,6 +514,7 @@ CURLOPT_PROXY_SSL_CIPHER_LIST 7.52.0
CURLOPT_PROXY_SSL_OPTIONS 7.52.0 CURLOPT_PROXY_SSL_OPTIONS 7.52.0
CURLOPT_PROXY_SSL_VERIFYHOST 7.52.0 CURLOPT_PROXY_SSL_VERIFYHOST 7.52.0
CURLOPT_PROXY_SSL_VERIFYPEER 7.52.0 CURLOPT_PROXY_SSL_VERIFYPEER 7.52.0
CURLOPT_PROXY_TLS13_CIPHERS 7.61.0
CURLOPT_PROXY_TLSAUTH_PASSWORD 7.52.0 CURLOPT_PROXY_TLSAUTH_PASSWORD 7.52.0
CURLOPT_PROXY_TLSAUTH_TYPE 7.52.0 CURLOPT_PROXY_TLSAUTH_TYPE 7.52.0
CURLOPT_PROXY_TLSAUTH_USERNAME 7.52.0 CURLOPT_PROXY_TLSAUTH_USERNAME 7.52.0
@ -528,6 +529,8 @@ CURLOPT_REDIR_PROTOCOLS 7.19.4
CURLOPT_REFERER 7.1 CURLOPT_REFERER 7.1
CURLOPT_REQUEST_TARGET 7.55.0 CURLOPT_REQUEST_TARGET 7.55.0
CURLOPT_RESOLVE 7.21.3 CURLOPT_RESOLVE 7.21.3
CURLOPT_RESOLVER_START_DATA 7.59.0
CURLOPT_RESOLVER_START_FUNCTION 7.59.0
CURLOPT_RESUME_FROM 7.1 CURLOPT_RESUME_FROM 7.1
CURLOPT_RESUME_FROM_LARGE 7.11.0 CURLOPT_RESUME_FROM_LARGE 7.11.0
CURLOPT_RTSPHEADER 7.20.0 CURLOPT_RTSPHEADER 7.20.0
@ -602,13 +605,12 @@ CURLOPT_TIMEOUT 7.1
CURLOPT_TIMEOUT_MS 7.16.2 CURLOPT_TIMEOUT_MS 7.16.2
CURLOPT_TIMEVALUE 7.1 CURLOPT_TIMEVALUE 7.1
CURLOPT_TIMEVALUE_LARGE 7.59.0 CURLOPT_TIMEVALUE_LARGE 7.59.0
CURLOPT_TLS13_CIPHERS 7.61.0
CURLOPT_TLSAUTH_PASSWORD 7.21.4 CURLOPT_TLSAUTH_PASSWORD 7.21.4
CURLOPT_TLSAUTH_TYPE 7.21.4 CURLOPT_TLSAUTH_TYPE 7.21.4
CURLOPT_TLSAUTH_USERNAME 7.21.4 CURLOPT_TLSAUTH_USERNAME 7.21.4
CURLOPT_TRANSFERTEXT 7.1.1 CURLOPT_TRANSFERTEXT 7.1.1
CURLOPT_TRANSFER_ENCODING 7.21.6 CURLOPT_TRANSFER_ENCODING 7.21.6
CURLOPT_RESOLVER_START_FUNCTION 7.59.0
CURLOPT_RESOLVER_START_DATA 7.59.0
CURLOPT_UNIX_SOCKET_PATH 7.40.0 CURLOPT_UNIX_SOCKET_PATH 7.40.0
CURLOPT_UNRESTRICTED_AUTH 7.10.4 CURLOPT_UNRESTRICTED_AUTH 7.10.4
CURLOPT_UPLOAD 7.1 CURLOPT_UPLOAD 7.1

View File

@ -1849,6 +1849,10 @@ typedef enum {
/* shuffle addresses before use when DNS returns multiple */ /* shuffle addresses before use when DNS returns multiple */
CINIT(DNS_SHUFFLE_ADDRESSES, LONG, 275), CINIT(DNS_SHUFFLE_ADDRESSES, LONG, 275),
/* Specify which TLS 1.3 ciphers suites to use */
CINIT(TLS13_CIPHERS, STRINGPOINT, 276),
CINIT(PROXY_TLS13_CIPHERS, STRINGPOINT, 277),
CURLOPT_LASTENTRY /* the last unused */ CURLOPT_LASTENTRY /* the last unused */
} CURLoption; } CURLoption;

View File

@ -142,6 +142,25 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
va_arg(param, char *)); va_arg(param, char *));
break; break;
case CURLOPT_TLS13_CIPHERS:
if(Curl_ssl_tls13_ciphersuites()) {
/* set preferred list of TLS 1.3 cipher suites */
result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER13_LIST_ORIG],
va_arg(param, char *));
}
else
return CURLE_NOT_BUILT_IN;
break;
case CURLOPT_PROXY_TLS13_CIPHERS:
if(Curl_ssl_tls13_ciphersuites()) {
/* set preferred list of TLS 1.3 cipher suites for proxy */
result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER13_LIST_PROXY],
va_arg(param, char *));
}
else
return CURLE_NOT_BUILT_IN;
break;
case CURLOPT_RANDOM_FILE: case CURLOPT_RANDOM_FILE:
/* /*
* This is the path name to a file that contains random data to seed * This is the path name to a file that contains random data to seed

View File

@ -227,6 +227,7 @@ struct ssl_primary_config {
char *random_file; /* path to file containing "random" data */ char *random_file; /* path to file containing "random" data */
char *egdsocket; /* path to file containing the EGD daemon socket */ char *egdsocket; /* path to file containing the EGD daemon socket */
char *cipher_list; /* list of ciphers to use */ char *cipher_list; /* list of ciphers to use */
char *cipher_list13; /* list of TLS 1.3 cipher suites to use */
}; };
struct ssl_config_data { struct ssl_config_data {
@ -1401,6 +1402,8 @@ enum dupstring {
STRING_SSL_PINNEDPUBLICKEY_PROXY, /* public key file to verify proxy */ STRING_SSL_PINNEDPUBLICKEY_PROXY, /* public key file to verify proxy */
STRING_SSL_CIPHER_LIST_ORIG, /* list of ciphers to use */ STRING_SSL_CIPHER_LIST_ORIG, /* list of ciphers to use */
STRING_SSL_CIPHER_LIST_PROXY, /* list of ciphers to use */ STRING_SSL_CIPHER_LIST_PROXY, /* list of ciphers to use */
STRING_SSL_CIPHER13_LIST_ORIG, /* list of TLS 1.3 ciphers to use */
STRING_SSL_CIPHER13_LIST_PROXY, /* list of TLS 1.3 ciphers to use */
STRING_SSL_EGDSOCKET, /* path to file containing the EGD daemon socket */ STRING_SSL_EGDSOCKET, /* path to file containing the EGD daemon socket */
STRING_SSL_RANDOM_FILE, /* path to file containing "random" data */ STRING_SSL_RANDOM_FILE, /* path to file containing "random" data */
STRING_USERAGENT, /* User-Agent string */ STRING_USERAGENT, /* User-Agent string */

View File

@ -166,6 +166,17 @@ static unsigned long OpenSSL_version_num(void)
#define HAVE_KEYLOG_CALLBACK #define HAVE_KEYLOG_CALLBACK
#endif #endif
/* Whether SSL_CTX_set_ciphersuites is available.
* OpenSSL: supported since 1.1.1 (commit a53b5be6a05)
* BoringSSL: no
* LibreSSL: no
*/
#if ((OPENSSL_VERSION_NUMBER >= 0x10101000L) && \
!defined(LIBRESSL_VERSION_NUMBER) && \
!defined(OPENSSL_IS_BORINGSSL))
#define HAVE_SSL_CTX_SET_CIPHERSUITES
#endif
#if defined(LIBRESSL_VERSION_NUMBER) #if defined(LIBRESSL_VERSION_NUMBER)
#define OSSL_PACKAGE "LibreSSL" #define OSSL_PACKAGE "LibreSSL"
#elif defined(OPENSSL_IS_BORINGSSL) #elif defined(OPENSSL_IS_BORINGSSL)
@ -2413,6 +2424,19 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
infof(data, "Cipher selection: %s\n", ciphers); infof(data, "Cipher selection: %s\n", ciphers);
} }
#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
{
char *ciphers13 = SSL_CONN_CONFIG(cipher_list13);
if(ciphers13) {
if(!SSL_CTX_set_ciphersuites(BACKEND->ctx, ciphers13)) {
failf(data, "failed setting TLS 1.3 cipher suite: %s", ciphers);
return CURLE_SSL_CIPHER;
}
infof(data, "TLS 1.3 cipher selection: %s\n", ciphers13);
}
}
#endif
#ifdef USE_TLS_SRP #ifdef USE_TLS_SRP
if(ssl_authtype == CURL_TLSAUTH_SRP) { if(ssl_authtype == CURL_TLSAUTH_SRP) {
char * const ssl_username = SSL_SET_OPTION(username); char * const ssl_username = SSL_SET_OPTION(username);

View File

@ -979,6 +979,14 @@ bool Curl_ssl_false_start(void)
return Curl_ssl->false_start(); return Curl_ssl->false_start();
} }
/*
* Check whether the SSL backend supports setting TLS 1.3 cipher suites
*/
bool Curl_ssl_tls13_ciphersuites(void)
{
return Curl_ssl->supports & SSLSUPP_TLS13_CIPHERSUITES;
}
/* /*
* Default implementations for unsupported functions. * Default implementations for unsupported functions.
*/ */

View File

@ -31,6 +31,7 @@ struct ssl_connect_data;
#define SSLSUPP_PINNEDPUBKEY (1<<2) /* supports CURLOPT_PINNEDPUBLICKEY */ #define SSLSUPP_PINNEDPUBKEY (1<<2) /* supports CURLOPT_PINNEDPUBLICKEY */
#define SSLSUPP_SSL_CTX (1<<3) /* supports CURLOPT_SSL_CTX */ #define SSLSUPP_SSL_CTX (1<<3) /* supports CURLOPT_SSL_CTX */
#define SSLSUPP_HTTPS_PROXY (1<<4) /* supports access via HTTPS proxies */ #define SSLSUPP_HTTPS_PROXY (1<<4) /* supports access via HTTPS proxies */
#define SSLSUPP_TLS13_CIPHERSUITES (1<<5) /* supports TLS 1.3 ciphersuites */
struct Curl_ssl { struct Curl_ssl {
/* /*
@ -93,6 +94,7 @@ CURLcode Curl_none_set_engine(struct Curl_easy *data, const char *engine);
CURLcode Curl_none_set_engine_default(struct Curl_easy *data); CURLcode Curl_none_set_engine_default(struct Curl_easy *data);
struct curl_slist *Curl_none_engines_list(struct Curl_easy *data); struct curl_slist *Curl_none_engines_list(struct Curl_easy *data);
bool Curl_none_false_start(void); bool Curl_none_false_start(void);
bool Curl_ssl_tls13_ciphersuites(void);
CURLcode Curl_none_md5sum(unsigned char *input, size_t inputlen, CURLcode Curl_none_md5sum(unsigned char *input, size_t inputlen,
unsigned char *md5sum, size_t md5len); unsigned char *md5sum, size_t md5len);
@ -246,7 +248,7 @@ bool Curl_ssl_false_start(void);
#define SSL_SHUTDOWN_TIMEOUT 10000 /* ms */ #define SSL_SHUTDOWN_TIMEOUT 10000 /* ms */
#else #else /* if not USE_SSL */
/* When SSL support is not present, just define away these function calls */ /* When SSL support is not present, just define away these function calls */
#define Curl_ssl_init() 1 #define Curl_ssl_init() 1
@ -270,6 +272,7 @@ bool Curl_ssl_false_start(void);
#define Curl_ssl_random(x,y,z) ((void)x, CURLE_NOT_BUILT_IN) #define Curl_ssl_random(x,y,z) ((void)x, CURLE_NOT_BUILT_IN)
#define Curl_ssl_cert_status_request() FALSE #define Curl_ssl_cert_status_request() FALSE
#define Curl_ssl_false_start() FALSE #define Curl_ssl_false_start() FALSE
#define Curl_ssl_tls13_ciphersuites() FALSE
#endif #endif
#endif /* HEADER_CURL_VTLS_H */ #endif /* HEADER_CURL_VTLS_H */

View File

@ -117,6 +117,8 @@ struct OperationConfig {
struct getout *url_ul; /* point to the node to fill in upload */ struct getout *url_ul; /* point to the node to fill in upload */
char *cipher_list; char *cipher_list;
char *proxy_cipher_list; char *proxy_cipher_list;
char *cipher13_list;
char *proxy_cipher13_list;
char *cert; char *cert;
char *proxy_cert; char *proxy_cert;
char *cert_type; char *cert_type;

View File

@ -201,6 +201,8 @@ static const struct LongShort aliases[]= {
{"11", "tlsv1.1", ARG_NONE}, {"11", "tlsv1.1", ARG_NONE},
{"12", "tlsv1.2", ARG_NONE}, {"12", "tlsv1.2", ARG_NONE},
{"13", "tlsv1.3", ARG_NONE}, {"13", "tlsv1.3", ARG_NONE},
{"1A", "tls13-ciphers", ARG_STRING},
{"1B", "proxy-tls13-ciphers", ARG_STRING},
{"2", "sslv2", ARG_NONE}, {"2", "sslv2", ARG_NONE},
{"3", "sslv3", ARG_NONE}, {"3", "sslv3", ARG_NONE},
{"4", "ipv4", ARG_NONE}, {"4", "ipv4", ARG_NONE},
@ -1177,6 +1179,12 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
/* TLS version 1.3 */ /* TLS version 1.3 */
config->ssl_version = CURL_SSLVERSION_TLSv1_3; config->ssl_version = CURL_SSLVERSION_TLSv1_3;
break; break;
case 'A': /* --tls13-ciphers */
GetStr(&config->cipher13_list, nextarg);
break;
case 'B': /* --proxy-tls13-ciphers */
GetStr(&config->proxy_cipher13_list, nextarg);
break;
} }
break; break;
case '2': case '2':

View File

@ -160,12 +160,12 @@ static const struct helptxt helptext[] = {
"Put the post data in the URL and use GET"}, "Put the post data in the URL and use GET"},
{"-g, --globoff", {"-g, --globoff",
"Disable URL sequences and ranges using {} and []"}, "Disable URL sequences and ranges using {} and []"},
{" --happy-eyeballs-timeout-ms", {" --happy-eyeballs-timeout-ms <milliseconds>",
"How long to wait in milliseconds for IPv6 before trying IPv4"}, "How long to wait in milliseconds for IPv6 before trying IPv4"},
{"-I, --head",
"Show document info only"},
{" --haproxy-protocol", {" --haproxy-protocol",
"Send HAProxy PROXY protocol v1 header"}, "Send HAProxy PROXY protocol v1 header"},
{"-I, --head",
"Show document info only"},
{"-H, --header <header/@file>", {"-H, --header <header/@file>",
"Pass custom header(s) to server"}, "Pass custom header(s) to server"},
{"-h, --help", {"-h, --help",
@ -297,7 +297,7 @@ static const struct helptxt helptext[] = {
{" --proxy-cert <cert[:passwd]>", {" --proxy-cert <cert[:passwd]>",
"Set client certificate for proxy"}, "Set client certificate for proxy"},
{" --proxy-cert-type <type>", {" --proxy-cert-type <type>",
"Client certificate type for HTTS proxy"}, "Client certificate type for HTTPS proxy"},
{" --proxy-ciphers <list>", {" --proxy-ciphers <list>",
"SSL ciphers to use for proxy"}, "SSL ciphers to use for proxy"},
{" --proxy-crlfile <file>", {" --proxy-crlfile <file>",
@ -324,6 +324,8 @@ static const struct helptxt helptext[] = {
"SPNEGO proxy service name"}, "SPNEGO proxy service name"},
{" --proxy-ssl-allow-beast", {" --proxy-ssl-allow-beast",
"Allow security flaw for interop for HTTPS proxy"}, "Allow security flaw for interop for HTTPS proxy"},
{" --proxy-tls13-ciphers <ciphersuite list>",
"TLS 1.3 proxy cipher suites"},
{" --proxy-tlsauthtype <type>", {" --proxy-tlsauthtype <type>",
"TLS authentication type for HTTPS proxy"}, "TLS authentication type for HTTPS proxy"},
{" --proxy-tlspassword <string>", {" --proxy-tlspassword <string>",
@ -337,7 +339,7 @@ static const struct helptxt helptext[] = {
{" --proxy1.0 <host[:port]>", {" --proxy1.0 <host[:port]>",
"Use HTTP/1.0 proxy on given port"}, "Use HTTP/1.0 proxy on given port"},
{"-p, --proxytunnel", {"-p, --proxytunnel",
"Operate through a HTTP proxy tunnel (using CONNECT)"}, "Operate through an HTTP proxy tunnel (using CONNECT)"},
{" --pubkey <key>", {" --pubkey <key>",
"SSH Public key file name"}, "SSH Public key file name"},
{"-Q, --quote", {"-Q, --quote",
@ -362,7 +364,7 @@ static const struct helptxt helptext[] = {
"Specify request command to use"}, "Specify request command to use"},
{" --request-target", {" --request-target",
"Specify the target for this request"}, "Specify the target for this request"},
{" --resolve <host:port:address>", {" --resolve <host:port:address[,address]...>",
"Resolve the host+port to this address"}, "Resolve the host+port to this address"},
{" --retry <num>", {" --retry <num>",
"Retry request if transient problems occur"}, "Retry request if transient problems occur"},
@ -432,6 +434,8 @@ static const struct helptxt helptext[] = {
"Transfer based on a time condition"}, "Transfer based on a time condition"},
{" --tls-max <VERSION>", {" --tls-max <VERSION>",
"Use TLSv1.0 or greater"}, "Use TLSv1.0 or greater"},
{" --tls13-ciphers <list of TLS 1.3 ciphersuites>",
"TLS 1.3 cipher suites to use"},
{" --tlsauthtype <type>", {" --tlsauthtype <type>",
"TLS authentication type"}, "TLS authentication type"},
{" --tlspassword", {" --tlspassword",

View File

@ -1216,6 +1216,13 @@ static CURLcode operate_do(struct GlobalConfig *global,
my_setopt_str(curl, CURLOPT_PROXY_SSL_CIPHER_LIST, my_setopt_str(curl, CURLOPT_PROXY_SSL_CIPHER_LIST,
config->proxy_cipher_list); config->proxy_cipher_list);
if(config->cipher13_list)
my_setopt_str(curl, CURLOPT_TLS13_CIPHERS, config->cipher13_list);
if(config->proxy_cipher13_list)
my_setopt_str(curl, CURLOPT_PROXY_SSL_CIPHER_LIST,
config->proxy_cipher13_list);
/* new in libcurl 7.9.2: */ /* new in libcurl 7.9.2: */
if(config->disable_epsv) if(config->disable_epsv)
/* disable it */ /* disable it */