curl: introduce the --tlsv1.3 option to force TLS 1.3

Fully implemented with the NSS backend only for now.

Reviewed-by: Ray Satiro

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 0917c683a321f683f89102833eef7fb753fa9c81..8f74ff7b2962f1f64af46230c1194322e0723ed6 100644 (file)
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -10,6 +10,7 @@ This release includes the following changes:
 
  o nss: map CURL_SSLVERSION_DEFAULT to NSS default
  o vtls: support TLS 1.3 via CURL_SSLVERSION_TLSv1_3
+ o curl: introduce the --tlsv1.3 option to force TLS 1.3
  o
 
 This release includes the following bugfixes:

diff --git a/docs/curl.1 b/docs/curl.1
index 9e96d0c98eb20da6b7a3561a22ee644f3d9f81e3..bc0612f0cd39de01c51ccea4cf389bfbfbe3dd5c 100644 (file)
--- a/docs/curl.1
+++ b/docs/curl.1
@@ -176,9 +176,9 @@ HTTP 2 to negotiate HTTP 2 support with the server during https sessions.
 .IP "-1, --tlsv1"
 (SSL)
 Forces curl to use TLS version 1.x when negotiating with a remote TLS server.
-You can use options \fI--tlsv1.0\fP, \fI--tlsv1.1\fP, and \fI--tlsv1.2\fP to
-control the TLS version more precisely (if the SSL backend in use supports such
-a level of control).
+You can use options \fI--tlsv1.0\fP, \fI--tlsv1.1\fP, \fI--tlsv1.2\fP, and
+\fI--tlsv1.3\fP to control the TLS version more precisely (if the SSL backend
+in use supports such a level of control).
 .IP "-2, --sslv2"
 (SSL) Forces curl to use SSL version 2 when negotiating with a remote SSL
 server. Sometimes curl is built without SSLv2 support. SSLv2 is widely
@@ -1825,6 +1825,10 @@ Forces curl to use TLS version 1.1 when negotiating with a remote TLS server.
 (SSL)
 Forces curl to use TLS version 1.2 when negotiating with a remote TLS server.
 (Added in 7.34.0)
+.IP "--tlsv1.3"
+(SSL)
+Forces curl to use TLS version 1.3 when negotiating with a remote TLS server.
+(Added in 7.51.1)
 .IP "--tr-encoding"
 (HTTP) Request a compressed Transfer-Encoding response using one of the
 algorithms curl supports, and uncompress the data while receiving it.

diff --git a/src/tool_getparam.c b/src/tool_getparam.c
index 95dd4555f70d9614b845567a437a5f1becffa659..2d16e066d3b6dd632d70fcd53efbd8f41d357385 100644 (file)
--- a/src/tool_getparam.c
+++ b/src/tool_getparam.c
@@ -190,6 +190,7 @@ static const struct LongShort aliases[]= {
   {"10",  "tlsv1.0",                 FALSE},
   {"11",  "tlsv1.1",                 FALSE},
   {"12",  "tlsv1.2",                 FALSE},
+  {"13",  "tlsv1.3",                 FALSE},
   {"2",  "sslv2",                    FALSE},
   {"3",  "sslv3",                    FALSE},
   {"4",  "ipv4",                     FALSE},
@@ -1061,6 +1062,10 @@ ParameterError getparameter(char *flag,    /* f or -long-flag */
         /* TLS version 1.2 */
         config->ssl_version = CURL_SSLVERSION_TLSv1_2;
         break;
+      case '3':
+        /* TLS version 1.3 */
+        config->ssl_version = CURL_SSLVERSION_TLSv1_3;
+        break;
       }
       break;
     case '2':

diff --git a/src/tool_help.c b/src/tool_help.c
index fb428c9ca69745ec90aa8ee8db6c57909df10b4e..9890cc83b5b5b08df1596554bb296c1bdc1d1266 100644 (file)
--- a/src/tool_help.c
+++ b/src/tool_help.c
@@ -232,6 +232,7 @@ static const char *const helptext[] = {
   "     --tlsv1.0       Use TLSv1.0 (SSL)",
   "     --tlsv1.1       Use TLSv1.1 (SSL)",
   "     --tlsv1.2       Use TLSv1.2 (SSL)",
+  "     --tlsv1.3       Use TLSv1.3 (SSL)",
   "     --trace FILE    Write a debug trace to FILE",
   "     --trace-ascii FILE  Like --trace, but without hex output",
   "     --trace-time    Add time stamps to trace/verbose output",

diff --git a/src/tool_setopt.c b/src/tool_setopt.c
index c854225e49fc80ab92352937062d624cdbd42226..f3de09deec3ab07483a34587cb4712be7b5ff358 100644 (file)
--- a/src/tool_setopt.c
+++ b/src/tool_setopt.c
@@ -83,6 +83,7 @@ const NameValue setopt_nv_CURL_SSLVERSION[] = {
   NV(CURL_SSLVERSION_TLSv1_0),
   NV(CURL_SSLVERSION_TLSv1_1),
   NV(CURL_SSLVERSION_TLSv1_2),
+  NV(CURL_SSLVERSION_TLSv1_3),
   NVEND,
 };