Buy commercial curl support from
WolfSSL. We help you work out your issues, debug your libcurl
applications, use the API, port to new platforms, add new features and more.
With a team lead by the curl founder himself.
When will we make TLS 1.3 support a mandatory requirement?
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Thu, 7 Mar 2024 09:15:27 +0100 (CET)
Hello,
The TLS 1.3 spec (RFC 8446) was published in August 2018. Over five years ago.
According to radar.cloudflare.com about 93.8% of TSL-using Internet traffic is
now using TLS 1.3 (or QUIC, which uses TLS 1.3 internally).
At the same time, *three* of the libraries that curl supports do not do TLS
1.3 (together with curl): mbedTLS, BearSSL and Secure Transport. Libraries
that seem to be a little "stuck in the past". I'm not sure if it is a valid
concern, but if they don't even keep up with a five year old TLS version bump
that is used widely, what else are they not keeping up with?
I am aware that there are quite a few users using curl with those libraries.
But maybe they should not?
I would like to discuss the possibility that we set a flag day on which we cut
off support for all TLS libraries that do not play TLS 1.3. I don't think it
is urgent, so we can plan ahead, but I think it would be good for the greater
community and for curl and Internet users everywhere. We could for example set
it to end of June 2025 or something to allow everyone plenty of time to act,
react, argue and wave their hands.
Or is it too strict?
Date: Thu, 7 Mar 2024 09:15:27 +0100 (CET)
Hello,
The TLS 1.3 spec (RFC 8446) was published in August 2018. Over five years ago.
According to radar.cloudflare.com about 93.8% of TSL-using Internet traffic is
now using TLS 1.3 (or QUIC, which uses TLS 1.3 internally).
At the same time, *three* of the libraries that curl supports do not do TLS
1.3 (together with curl): mbedTLS, BearSSL and Secure Transport. Libraries
that seem to be a little "stuck in the past". I'm not sure if it is a valid
concern, but if they don't even keep up with a five year old TLS version bump
that is used widely, what else are they not keeping up with?
I am aware that there are quite a few users using curl with those libraries.
But maybe they should not?
I would like to discuss the possibility that we set a flag day on which we cut
off support for all TLS libraries that do not play TLS 1.3. I don't think it
is urgent, so we can plan ahead, but I think it would be good for the greater
community and for curl and Internet users everywhere. We could for example set
it to end of June 2025 or something to allow everyone plenty of time to act,
react, argue and wave their hands.
Or is it too strict?
-- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2024-03-07