mirror of
https://github.com/moparisthebest/curl
synced 2024-11-15 14:05:03 -05:00
TODO: forbid TLS post-handshake auth and do TLS record padding
Closes #5396 Closes #5398
This commit is contained in:
parent
17b1405b20
commit
5646e563ae
31
docs/TODO
31
docs/TODO
@ -109,9 +109,11 @@
|
|||||||
13.6 Provide callback for cert verification
|
13.6 Provide callback for cert verification
|
||||||
13.7 improve configure --with-ssl
|
13.7 improve configure --with-ssl
|
||||||
13.8 Support DANE
|
13.8 Support DANE
|
||||||
|
13.9 TLS record padding
|
||||||
13.10 Support Authority Information Access certificate extension (AIA)
|
13.10 Support Authority Information Access certificate extension (AIA)
|
||||||
13.11 Support intermediate & root pinning for PINNEDPUBLICKEY
|
13.11 Support intermediate & root pinning for PINNEDPUBLICKEY
|
||||||
13.12 Support HSTS
|
13.12 Support HSTS
|
||||||
|
13.13 Make sure we forbid TLS 1.3 post-handshake authentication
|
||||||
13.14 Support the clienthello extension
|
13.14 Support the clienthello extension
|
||||||
|
|
||||||
14. GnuTLS
|
14. GnuTLS
|
||||||
@ -744,6 +746,14 @@ that doesn't exist on the server, just like --ftp-create-dirs.
|
|||||||
Björn Stenberg wrote a separate initial take on DANE that was never
|
Björn Stenberg wrote a separate initial take on DANE that was never
|
||||||
completed.
|
completed.
|
||||||
|
|
||||||
|
13.9 TLS record padding
|
||||||
|
|
||||||
|
TLS (1.3) offers optional record padding and OpenSSL provides an API for it.
|
||||||
|
I could make sense for libcurl to offer this ability to applications to make
|
||||||
|
traffic patterns harder to figure out by network traffic observers.
|
||||||
|
|
||||||
|
See https://github.com/curl/curl/issues/5398
|
||||||
|
|
||||||
13.10 Support Authority Information Access certificate extension (AIA)
|
13.10 Support Authority Information Access certificate extension (AIA)
|
||||||
|
|
||||||
AIA can provide various things like CRLs but more importantly information
|
AIA can provide various things like CRLs but more importantly information
|
||||||
@ -759,23 +769,30 @@ that doesn't exist on the server, just like --ftp-create-dirs.
|
|||||||
|
|
||||||
CURLOPT_PINNEDPUBLICKEY does not consider the hashes of intermediate & root
|
CURLOPT_PINNEDPUBLICKEY does not consider the hashes of intermediate & root
|
||||||
certificates when comparing the pinned keys. Therefore it is not compatible
|
certificates when comparing the pinned keys. Therefore it is not compatible
|
||||||
with "HTTP Public Key Pinning" as there also intermediate and root certificates
|
with "HTTP Public Key Pinning" as there also intermediate and root
|
||||||
can be pinned. This is very useful as it prevents webadmins from "locking
|
certificates can be pinned. This is very useful as it prevents webadmins from
|
||||||
themself out of their servers".
|
"locking themself out of their servers".
|
||||||
|
|
||||||
Adding this feature would make curls pinning 100% compatible to HPKP and allow
|
Adding this feature would make curls pinning 100% compatible to HPKP and
|
||||||
more flexible pinning.
|
allow more flexible pinning.
|
||||||
|
|
||||||
13.12 Support HSTS
|
13.12 Support HSTS
|
||||||
|
|
||||||
"HTTP Strict Transport Security" is TOFU (trust on first use), time-based
|
"HTTP Strict Transport Security" is TOFU (trust on first use), time-based
|
||||||
features indicated by a HTTP header send by the webserver. It is widely used
|
features indicated by a HTTP header send by the webserver. It is widely used
|
||||||
in browsers and it's purpose is to prevent insecure HTTP connections after
|
in browsers and it's purpose is to prevent insecure HTTP connections after a
|
||||||
a previous HTTPS connection. It protects against SSLStripping attacks.
|
previous HTTPS connection. It protects against SSLStripping attacks.
|
||||||
|
|
||||||
Doc: https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
|
Doc: https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
|
||||||
RFC 6797: https://tools.ietf.org/html/rfc6797
|
RFC 6797: https://tools.ietf.org/html/rfc6797
|
||||||
|
|
||||||
|
13.13 Make sure we forbid TLS 1.3 post-handshake authentication
|
||||||
|
|
||||||
|
RFC 8740 explains how using HTTP/2 must forbid the use of TLS 1.3
|
||||||
|
post-handshake authentication. We should make sure to live up to that.
|
||||||
|
|
||||||
|
See https://github.com/curl/curl/issues/5396
|
||||||
|
|
||||||
13.14 Support the clienthello extension
|
13.14 Support the clienthello extension
|
||||||
|
|
||||||
Certain stupid networks and middle boxes have a problem with SSL handshake
|
Certain stupid networks and middle boxes have a problem with SSL handshake
|
||||||
|
Loading…
Reference in New Issue
Block a user