Adds CURLOPT_TLS13_CIPHERS and CURLOPT_PROXY_TLS13_CIPHERS.
curl: added --tls13-ciphers and --proxy-tls13-ciphers
Fixes #2435
Reported-by: zzq1015 on github
Closes #2607
`ECDHE-RSA-CAMELLIA128-SHA256`
`ECDHE-RSA-CAMELLIA256-SHA384`
+### TLS 1.3 cipher suites
+
+(Note: the TLS 1.3 cipher suites are set with a separate option.)
+
+`TLS13-AES-256-GCM-SHA384`
+`TLS13-CHACHA20-POLY1305-SHA256`
+`TLS13-AES-128-GCM-SHA256`
+`TLS13-AES-128-CCM-8-SHA256`
+`TLS13-AES-128-CCM-SHA256`
+
## NSS
### Totally insecure
tlsv1.3.d tlsv1.d trace-ascii.d trace.d trace-time.d tr-encoding.d \
unix-socket.d upload-file.d url.d use-ascii.d user-agent.d user.d \
verbose.d version.d write-out.d xattr.d request-target.d \
- styled-output.d
+ styled-output.d tls13-ciphers.d proxy-tls13-ciphers.d
OTHERPAGES = page-footer page-header
--- /dev/null
+Long: proxy-tls13-ciphers
+Arg: <ciphersuite list>
+help: TLS 1.3 proxy cipher suites
+Protocols: TLS
+---
+Specifies which cipher suites to use in the connection to your HTTPS proxy
+when it negotiates TLS 1.3. The list of ciphers suites must specify valid
+ciphers. Read up on TLS 1.3 cipher suite details on this URL:
+
+ https://curl.haxx.se/docs/ssl-ciphers.html
+
+If this option is used several times, the last one will be used.
--- /dev/null
+Long: tls13-ciphers
+Arg: <list of TLS 1.3 ciphersuites>
+help: TLS 1.3 cipher suites to use
+Protocols: TLS
+---
+Specifies which cipher suites to use in the connection if it negotiates TLS
+1.3. The list of ciphers suites must specify valid ciphers. Read up on TLS 1.3
+cipher suite details on this URL:
+
+ https://curl.haxx.se/docs/ssl-ciphers.html
+
+If this option is used several times, the last one will be used.
Ciphers to use. See \fICURLOPT_SSL_CIPHER_LIST(3)\fP
.IP CURLOPT_PROXY_SSL_CIPHER_LIST
Proxy ciphers to use. See \fICURLOPT_PROXY_SSL_CIPHER_LIST(3)\fP
+.IP CURLOPT_TLS13_CIPHERS
+TLS 1.3 cipher suites to use. See \fICURLOPT_TLS13_CIPHERS(3)\fP
+.IP CURLOPT_PROXY_TLS13_CIPHERS
+Proxy TLS 1.3 cipher suites to use. See \fICURLOPT_PROXY_TLS13_CIPHERS(3)\fP
.IP CURLOPT_SSL_SESSIONID_CACHE
Disable SSL session-id cache. See \fICURLOPT_SSL_SESSIONID_CACHE(3)\fP
.IP CURLOPT_SSL_OPTIONS
--- /dev/null
+.\" **************************************************************************
+.\" * _ _ ____ _
+.\" * Project ___| | | | _ \| |
+.\" * / __| | | | |_) | |
+.\" * | (__| |_| | _ <| |___
+.\" * \___|\___/|_| \_\_____|
+.\" *
+.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" *
+.\" * This software is licensed as described in the file COPYING, which
+.\" * you should have received as part of this distribution. The terms
+.\" * are also available at https://curl.haxx.se/docs/copyright.html.
+.\" *
+.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+.\" * copies of the Software, and permit persons to whom the Software is
+.\" * furnished to do so, under the terms of the COPYING file.
+.\" *
+.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+.\" * KIND, either express or implied.
+.\" *
+.\" **************************************************************************
+.\"
+.TH CURLOPT_PROXY_TLS13_CIPHERS 3 "25 May 2018" "libcurl 7.61.0" "curl_easy_setopt options"
+.SH NAME
+CURLOPT_PROXY_TLS13_CIPHERS \- ciphers suites for proxy TLS 1.3
+.SH SYNOPSIS
+#include <curl/curl.h>
+
+CURLcode curl_easy_setopt(CURL *handle, CURLOPT_PROXY_TLS13_CIPHERS, char *list);
+.SH DESCRIPTION
+Pass a char *, pointing to a zero terminated string holding the list of cipher
+suites to use for the TLS 1.3 connection to a proxy. The list must be
+syntactically correct, it consists of one or more cipher suite strings
+separated by colons.
+
+You'll find more details about cipher lists on this URL:
+
+ https://curl.haxx.se/docs/ssl-ciphers.html
+
+The application does not have to keep the string around after setting this
+option.
+.SH DEFAULT
+NULL, use internal default
+.SH PROTOCOLS
+All TLS based protocols: HTTPS, FTPS, IMAPS, POP3S, SMTPS etc.
+.SH EXAMPLE
+.nf
+CURL *curl = curl_easy_init();
+if(curl) {
+ curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/");
+ curl_easy_setopt(curl, CURLOPT_PROXY_TLS13_CIPHERS,
+ "TLS13-CHACHA20-POLY1305-SHA256");
+ ret = curl_easy_perform(curl);
+ curl_easy_cleanup(curl);
+}
+.fi
+.SH AVAILABILITY
+Added in 7.61.0.
+Available when built with OpenSSL >= 1.1.1.
+.SH RETURN VALUE
+Returns CURLE_OK if supported, CURLE_NOT_BUILT_IN otherwise.
+.SH "SEE ALSO"
+.BR CURLOPT_SSLVERSION "(3), " CURLOPT_TLS13_CIPHERS "(3), "
--- /dev/null
+.\" **************************************************************************
+.\" * _ _ ____ _
+.\" * Project ___| | | | _ \| |
+.\" * / __| | | | |_) | |
+.\" * | (__| |_| | _ <| |___
+.\" * \___|\___/|_| \_\_____|
+.\" *
+.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" *
+.\" * This software is licensed as described in the file COPYING, which
+.\" * you should have received as part of this distribution. The terms
+.\" * are also available at https://curl.haxx.se/docs/copyright.html.
+.\" *
+.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+.\" * copies of the Software, and permit persons to whom the Software is
+.\" * furnished to do so, under the terms of the COPYING file.
+.\" *
+.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+.\" * KIND, either express or implied.
+.\" *
+.\" **************************************************************************
+.\"
+.TH CURLOPT_TLS13_CIPHERS 3 "25 May 2018" "libcurl 7.61.0" "curl_easy_setopt options"
+.SH NAME
+CURLOPT_TLS13_CIPHERS \- specify ciphers suites to use for TLS 1.3
+.SH SYNOPSIS
+#include <curl/curl.h>
+
+CURLcode curl_easy_setopt(CURL *handle, CURLOPT_TLS13_CIPHERS, char *list);
+.SH DESCRIPTION
+Pass a char *, pointing to a zero terminated string holding the list of cipher
+suites to use for the TLS 1.3 connection. The list must be syntactically
+correct, it consists of one or more cipher suite strings separated by colons.
+
+You'll find more details about cipher lists on this URL:
+
+ https://curl.haxx.se/docs/ssl-ciphers.html
+
+The application does not have to keep the string around after setting this
+option.
+.SH DEFAULT
+NULL, use internal default
+.SH PROTOCOLS
+All TLS based protocols: HTTPS, FTPS, IMAPS, POP3S, SMTPS etc.
+.SH EXAMPLE
+.nf
+CURL *curl = curl_easy_init();
+if(curl) {
+ curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/");
+ curl_easy_setopt(curl, CURLOPT_TLS13_CIPHERS,
+ "TLS13-CHACHA20-POLY1305-SHA256");
+ ret = curl_easy_perform(curl);
+ curl_easy_cleanup(curl);
+}
+.fi
+.SH AVAILABILITY
+Added in 7.61.0.
+Available when built with OpenSSL >= 1.1.1.
+.SH RETURN VALUE
+Returns CURLE_OK if supported, CURLE_NOT_BUILT_IN otherwise.
+.SH "SEE ALSO"
+.BR CURLOPT_SSLVERSION "(3), " CURLOPT_PROXY_TLS13_CIPHERS "(3), "
CURLOPT_PROXY_SSL_OPTIONS.3 \
CURLOPT_PROXY_SSL_VERIFYHOST.3 \
CURLOPT_PROXY_SSL_VERIFYPEER.3 \
+ CURLOPT_PROXY_TLS13_CIPHERS.3 \
CURLOPT_PROXY_TLSAUTH_PASSWORD.3 \
CURLOPT_PROXY_TLSAUTH_TYPE.3 \
CURLOPT_PROXY_TLSAUTH_USERNAME.3 \
CURLOPT_TIMEOUT_MS.3 \
CURLOPT_TIMEVALUE.3 \
CURLOPT_TIMEVALUE_LARGE.3 \
+ CURLOPT_TLS13_CIPHERS.3 \
CURLOPT_TLSAUTH_PASSWORD.3 \
CURLOPT_TLSAUTH_TYPE.3 \
CURLOPT_TLSAUTH_USERNAME.3 \
CURLE_QUOTE_ERROR 7.17.0
CURLE_RANGE_ERROR 7.17.0
CURLE_READ_ERROR 7.1
-CURLE_RECV_ERROR 7.10
CURLE_RECURSIVE_API_CALL 7.59.0
+CURLE_RECV_ERROR 7.10
CURLE_REMOTE_ACCESS_DENIED 7.17.0
CURLE_REMOTE_DISK_FULL 7.17.0
CURLE_REMOTE_FILE_EXISTS 7.17.0
CURLOPT_PROXY_SSL_OPTIONS 7.52.0
CURLOPT_PROXY_SSL_VERIFYHOST 7.52.0
CURLOPT_PROXY_SSL_VERIFYPEER 7.52.0
+CURLOPT_PROXY_TLS13_CIPHERS 7.61.0
CURLOPT_PROXY_TLSAUTH_PASSWORD 7.52.0
CURLOPT_PROXY_TLSAUTH_TYPE 7.52.0
CURLOPT_PROXY_TLSAUTH_USERNAME 7.52.0
CURLOPT_REFERER 7.1
CURLOPT_REQUEST_TARGET 7.55.0
CURLOPT_RESOLVE 7.21.3
+CURLOPT_RESOLVER_START_DATA 7.59.0
+CURLOPT_RESOLVER_START_FUNCTION 7.59.0
CURLOPT_RESUME_FROM 7.1
CURLOPT_RESUME_FROM_LARGE 7.11.0
CURLOPT_RTSPHEADER 7.20.0
CURLOPT_TIMEOUT_MS 7.16.2
CURLOPT_TIMEVALUE 7.1
CURLOPT_TIMEVALUE_LARGE 7.59.0
+CURLOPT_TLS13_CIPHERS 7.61.0
CURLOPT_TLSAUTH_PASSWORD 7.21.4
CURLOPT_TLSAUTH_TYPE 7.21.4
CURLOPT_TLSAUTH_USERNAME 7.21.4
CURLOPT_TRANSFERTEXT 7.1.1
CURLOPT_TRANSFER_ENCODING 7.21.6
-CURLOPT_RESOLVER_START_FUNCTION 7.59.0
-CURLOPT_RESOLVER_START_DATA 7.59.0
CURLOPT_UNIX_SOCKET_PATH 7.40.0
CURLOPT_UNRESTRICTED_AUTH 7.10.4
CURLOPT_UPLOAD 7.1
/* shuffle addresses before use when DNS returns multiple */
CINIT(DNS_SHUFFLE_ADDRESSES, LONG, 275),
+ /* Specify which TLS 1.3 ciphers suites to use */
+ CINIT(TLS13_CIPHERS, STRINGPOINT, 276),
+ CINIT(PROXY_TLS13_CIPHERS, STRINGPOINT, 277),
+
CURLOPT_LASTENTRY /* the last unused */
} CURLoption;
va_arg(param, char *));
break;
+ case CURLOPT_TLS13_CIPHERS:
+ if(Curl_ssl_tls13_ciphersuites()) {
+ /* set preferred list of TLS 1.3 cipher suites */
+ result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER13_LIST_ORIG],
+ va_arg(param, char *));
+ }
+ else
+ return CURLE_NOT_BUILT_IN;
+ break;
+ case CURLOPT_PROXY_TLS13_CIPHERS:
+ if(Curl_ssl_tls13_ciphersuites()) {
+ /* set preferred list of TLS 1.3 cipher suites for proxy */
+ result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER13_LIST_PROXY],
+ va_arg(param, char *));
+ }
+ else
+ return CURLE_NOT_BUILT_IN;
+ break;
+
case CURLOPT_RANDOM_FILE:
/*
* This is the path name to a file that contains random data to seed
char *random_file; /* path to file containing "random" data */
char *egdsocket; /* path to file containing the EGD daemon socket */
char *cipher_list; /* list of ciphers to use */
+ char *cipher_list13; /* list of TLS 1.3 cipher suites to use */
};
struct ssl_config_data {
STRING_SSL_PINNEDPUBLICKEY_PROXY, /* public key file to verify proxy */
STRING_SSL_CIPHER_LIST_ORIG, /* list of ciphers to use */
STRING_SSL_CIPHER_LIST_PROXY, /* list of ciphers to use */
+ STRING_SSL_CIPHER13_LIST_ORIG, /* list of TLS 1.3 ciphers to use */
+ STRING_SSL_CIPHER13_LIST_PROXY, /* list of TLS 1.3 ciphers to use */
STRING_SSL_EGDSOCKET, /* path to file containing the EGD daemon socket */
STRING_SSL_RANDOM_FILE, /* path to file containing "random" data */
STRING_USERAGENT, /* User-Agent string */
#define HAVE_KEYLOG_CALLBACK
#endif
+/* Whether SSL_CTX_set_ciphersuites is available.
+ * OpenSSL: supported since 1.1.1 (commit a53b5be6a05)
+ * BoringSSL: no
+ * LibreSSL: no
+ */
+#if ((OPENSSL_VERSION_NUMBER >= 0x10101000L) && \
+ !defined(LIBRESSL_VERSION_NUMBER) && \
+ !defined(OPENSSL_IS_BORINGSSL))
+#define HAVE_SSL_CTX_SET_CIPHERSUITES
+#endif
+
#if defined(LIBRESSL_VERSION_NUMBER)
#define OSSL_PACKAGE "LibreSSL"
#elif defined(OPENSSL_IS_BORINGSSL)
infof(data, "Cipher selection: %s\n", ciphers);
}
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
+ {
+ char *ciphers13 = SSL_CONN_CONFIG(cipher_list13);
+ if(ciphers13) {
+ if(!SSL_CTX_set_ciphersuites(BACKEND->ctx, ciphers13)) {
+ failf(data, "failed setting TLS 1.3 cipher suite: %s", ciphers);
+ return CURLE_SSL_CIPHER;
+ }
+ infof(data, "TLS 1.3 cipher selection: %s\n", ciphers13);
+ }
+ }
+#endif
+
#ifdef USE_TLS_SRP
if(ssl_authtype == CURL_TLSAUTH_SRP) {
char * const ssl_username = SSL_SET_OPTION(username);
return Curl_ssl->false_start();
}
+/*
+ * Check whether the SSL backend supports setting TLS 1.3 cipher suites
+ */
+bool Curl_ssl_tls13_ciphersuites(void)
+{
+ return Curl_ssl->supports & SSLSUPP_TLS13_CIPHERSUITES;
+}
+
/*
* Default implementations for unsupported functions.
*/
#define SSLSUPP_PINNEDPUBKEY (1<<2) /* supports CURLOPT_PINNEDPUBLICKEY */
#define SSLSUPP_SSL_CTX (1<<3) /* supports CURLOPT_SSL_CTX */
#define SSLSUPP_HTTPS_PROXY (1<<4) /* supports access via HTTPS proxies */
+#define SSLSUPP_TLS13_CIPHERSUITES (1<<5) /* supports TLS 1.3 ciphersuites */
struct Curl_ssl {
/*
CURLcode Curl_none_set_engine_default(struct Curl_easy *data);
struct curl_slist *Curl_none_engines_list(struct Curl_easy *data);
bool Curl_none_false_start(void);
+bool Curl_ssl_tls13_ciphersuites(void);
CURLcode Curl_none_md5sum(unsigned char *input, size_t inputlen,
unsigned char *md5sum, size_t md5len);
#define SSL_SHUTDOWN_TIMEOUT 10000 /* ms */
-#else
+#else /* if not USE_SSL */
/* When SSL support is not present, just define away these function calls */
#define Curl_ssl_init() 1
#define Curl_ssl_random(x,y,z) ((void)x, CURLE_NOT_BUILT_IN)
#define Curl_ssl_cert_status_request() FALSE
#define Curl_ssl_false_start() FALSE
+#define Curl_ssl_tls13_ciphersuites() FALSE
#endif
#endif /* HEADER_CURL_VTLS_H */
struct getout *url_ul; /* point to the node to fill in upload */
char *cipher_list;
char *proxy_cipher_list;
+ char *cipher13_list;
+ char *proxy_cipher13_list;
char *cert;
char *proxy_cert;
char *cert_type;
{"11", "tlsv1.1", ARG_NONE},
{"12", "tlsv1.2", ARG_NONE},
{"13", "tlsv1.3", ARG_NONE},
+ {"1A", "tls13-ciphers", ARG_STRING},
+ {"1B", "proxy-tls13-ciphers", ARG_STRING},
{"2", "sslv2", ARG_NONE},
{"3", "sslv3", ARG_NONE},
{"4", "ipv4", ARG_NONE},
/* TLS version 1.3 */
config->ssl_version = CURL_SSLVERSION_TLSv1_3;
break;
+ case 'A': /* --tls13-ciphers */
+ GetStr(&config->cipher13_list, nextarg);
+ break;
+ case 'B': /* --proxy-tls13-ciphers */
+ GetStr(&config->proxy_cipher13_list, nextarg);
+ break;
}
break;
case '2':
"Put the post data in the URL and use GET"},
{"-g, --globoff",
"Disable URL sequences and ranges using {} and []"},
- {" --happy-eyeballs-timeout-ms",
+ {" --happy-eyeballs-timeout-ms <milliseconds>",
"How long to wait in milliseconds for IPv6 before trying IPv4"},
- {"-I, --head",
- "Show document info only"},
{" --haproxy-protocol",
"Send HAProxy PROXY protocol v1 header"},
+ {"-I, --head",
+ "Show document info only"},
{"-H, --header <header/@file>",
"Pass custom header(s) to server"},
{"-h, --help",
{" --proxy-cert <cert[:passwd]>",
"Set client certificate for proxy"},
{" --proxy-cert-type <type>",
- "Client certificate type for HTTS proxy"},
+ "Client certificate type for HTTPS proxy"},
{" --proxy-ciphers <list>",
"SSL ciphers to use for proxy"},
{" --proxy-crlfile <file>",
"SPNEGO proxy service name"},
{" --proxy-ssl-allow-beast",
"Allow security flaw for interop for HTTPS proxy"},
+ {" --proxy-tls13-ciphers <ciphersuite list>",
+ "TLS 1.3 proxy cipher suites"},
{" --proxy-tlsauthtype <type>",
"TLS authentication type for HTTPS proxy"},
{" --proxy-tlspassword <string>",
{" --proxy1.0 <host[:port]>",
"Use HTTP/1.0 proxy on given port"},
{"-p, --proxytunnel",
- "Operate through a HTTP proxy tunnel (using CONNECT)"},
+ "Operate through an HTTP proxy tunnel (using CONNECT)"},
{" --pubkey <key>",
"SSH Public key file name"},
{"-Q, --quote",
"Specify request command to use"},
{" --request-target",
"Specify the target for this request"},
- {" --resolve <host:port:address>",
+ {" --resolve <host:port:address[,address]...>",
"Resolve the host+port to this address"},
{" --retry <num>",
"Retry request if transient problems occur"},
"Transfer based on a time condition"},
{" --tls-max <VERSION>",
"Use TLSv1.0 or greater"},
+ {" --tls13-ciphers <list of TLS 1.3 ciphersuites>",
+ "TLS 1.3 cipher suites to use"},
{" --tlsauthtype <type>",
"TLS authentication type"},
{" --tlspassword",
my_setopt_str(curl, CURLOPT_PROXY_SSL_CIPHER_LIST,
config->proxy_cipher_list);
+ if(config->cipher13_list)
+ my_setopt_str(curl, CURLOPT_TLS13_CIPHERS, config->cipher13_list);
+
+ if(config->proxy_cipher13_list)
+ my_setopt_str(curl, CURLOPT_PROXY_SSL_CIPHER_LIST,
+ config->proxy_cipher13_list);
+
/* new in libcurl 7.9.2: */
if(config->disable_epsv)
/* disable it */
projects / curl / commitdiff