New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ensure TLS 1.3 works with GnuTLS #5223
Conversation
When SRP is requested in the priority string, GnuTLS will disable support for TLS 1.3. Before this change, curl would always add +SRP to the priority list, effectively always disabling TLS 1.3 support. With this change, +SRP is only added to the priority list when SRP authentication is also requested. This also allows updating the error handling here to not have to retry without SRP. This is because SRP is only added when requested and in that case a retry is not needed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I originally discovered this problem while trying to debug why git
on the upcoming Ubuntu 20.04 release was only connecting over TLS 1.2 to GitHub.com, even though GitHub.com supports TLS 1.3.
Ubuntu compiles with OpenSSL normally for the command line curl
where TLS 1.3 worked fine, but it didn't for the GnuTLS library version that is also provided and used by git
.
rc = gnutls_priority_set_direct(session, prioritysrp, &err); | ||
free(prioritysrp); | ||
|
||
if((rc == GNUTLS_E_INVALID_REQUEST) && err) { | ||
infof(data, "This GnuTLS does not support SRP\n"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've kept this message here so it's shown in the same circumstances, but now only when SRP is explicitly requested.
Running this locally against a TLS 1.3 only site:
|
Missed adding a link to the GnuTLS documentation where it's stated that requesting SRP will disable TLS 1.3: https://www.gnutls.org/manual/gnutls.html#Authentication-using-SRP
|
Thanks! |
Building using cmake got issue in testing: [043] box-tap/curlgh-5223-curl-exports.test.lua [ fail ] [043] Test failed! Output from reject file box-tap/curlgh-5223-curl-exports.reject: [043] [043] Last 15 lines of Tarantool Log file [Instance "app_server"][/build/usr/src/debug/tarantool-2.6.0.54/test/var/043_box-tap/curlgh-5223-curl-exports.test.lua.tarantool.log]: [043] LuajitError: ...tool-2.6.0.54/test/box-tap/curlgh-5223-curl-exports.test.lua:57: tarantool: undefined symbol: curl_version_info It happened because curl used visibility hiding mode for its symbols and the test could not use it. To fix it symbols hiding disabled for gcc. Closes tarantool/tarantool#5268
Building using cmake got issue in testing: [043] box-tap/curlgh-5223-curl-exports.test.lua [ fail ] [043] Test failed! Output from reject file box-tap/curlgh-5223-curl-exports.reject: [043] [043] Last 15 lines of Tarantool Log file [Instance "app_server"][/build/usr/src/debug/tarantool-2.6.0.54/test/var/043_box-tap/curlgh-5223-curl-exports.test.lua.tarantool.log]: [043] LuajitError: ...tool-2.6.0.54/test/box-tap/curlgh-5223-curl-exports.test.lua:57: tarantool: undefined symbol: curl_version_info It happened because curl used visibility hiding mode for its symbols and the test could not use it. To fix it symbols hiding disabled for gcc and clang. Closes tarantool/tarantool#5268
When SRP is requested in the priority string, GnuTLS will disable support for TLS 1.3. Before this change, curl would always add +SRP to the priority list, effectively always disabling TLS 1.3 support.
With this change, +SRP is only added to the priority list when SRP authentication is also requested. This also allows updating the error handling here to not have to retry without SRP. This is because SRP is only added when requested and in that case a retry is not needed.