Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
TLSv1.3 with Secure Transport fails ...
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Michael Burns via curl-library <curl-library_at_lists.haxx.se>
Date: Tue, 25 Jul 2023 08:18:56 -0700
Hello.
TLS 1.3 does not work with Secure Transport as noted in Apple's
documentation (Ref.1). Are there any plans to transition SSL support for
macOS from Secure Transport to Network Framework?
"TLS clients using the SecureTransport APIs can’t use TLS 1.3."
I verified Apple's assertion by building curl with Secure Transport
locally and attempted a TLS 1.3 connection which resulted in a TLS 1.2
connection. See the attached tls-test-output.txt and tls-test-trace.txt
files.
I put the execution under a debugger and verified that the call to
SSLSetProtocolVersionMax is failing with a -9830 error
(errSSLIllegalParam). And, looking at the code (Ref.2) for
SSLSetProtocolVersionMax, you can see that it returns errSSLIllegalParam
because the requested version is greater than MAXIMUM_STREAM_VERSION
which is set to TLS_Version_1_2.
There are Federal requirements to support TLS 1.3 by January of 2024
(Ref.3):
"This Special Publication provides guidance to the selection and
configuration of TLS protocol implementations while making effective use
of Federal
Information Processing Standards (FIPS) and NIST-recommended
cryptographic algorithms. It
requires that TLS 1.2 configured with FIPS-based cipher suites be
supported by all government
TLS servers and clients and requires support for TLS 1.3 by January 1,
2024."
References:
1 - https://support.apple.com/guide/security/tls-security-sec100a75d12/web
2 -
https://opensource.apple.com/source/Security/Security-59754.80.3/OSX/libsecurity_ssl/lib/sslContext.c.auto.html
3 -
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf
Received on 2023-07-25
Date: Tue, 25 Jul 2023 08:18:56 -0700
Hello.
TLS 1.3 does not work with Secure Transport as noted in Apple's
documentation (Ref.1). Are there any plans to transition SSL support for
macOS from Secure Transport to Network Framework?
"TLS clients using the SecureTransport APIs can’t use TLS 1.3."
I verified Apple's assertion by building curl with Secure Transport
locally and attempted a TLS 1.3 connection which resulted in a TLS 1.2
connection. See the attached tls-test-output.txt and tls-test-trace.txt
files.
I put the execution under a debugger and verified that the call to
SSLSetProtocolVersionMax is failing with a -9830 error
(errSSLIllegalParam). And, looking at the code (Ref.2) for
SSLSetProtocolVersionMax, you can see that it returns errSSLIllegalParam
because the requested version is greater than MAXIMUM_STREAM_VERSION
which is set to TLS_Version_1_2.
There are Federal requirements to support TLS 1.3 by January of 2024
(Ref.3):
"This Special Publication provides guidance to the selection and
configuration of TLS protocol implementations while making effective use
of Federal
Information Processing Standards (FIPS) and NIST-recommended
cryptographic algorithms. It
requires that TLS 1.2 configured with FIPS-based cipher suites be
supported by all government
TLS servers and clients and requires support for TLS 1.3 by January 1,
2024."
References:
1 - https://support.apple.com/guide/security/tls-security-sec100a75d12/web
2 -
https://opensource.apple.com/source/Security/Security-59754.80.3/OSX/libsecurity_ssl/lib/sslContext.c.auto.html
3 -
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
- text/plain attachment: tls-test-output.txt
- text/plain attachment: tls-test-trace.txt