Buy commercial curl support from
WolfSSL. We help you work out your issues, debug your libcurl
applications, use the API, port to new platforms, add new features and more.
With a team lead by the curl founder himself.
Re: When will we make TLS 1.3 support a mandatory requirement?
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Dave Cottlehuber via curl-library <curl-library_at_lists.haxx.se>
Date: Fri, 08 Mar 2024 07:28:53 +0000
On Thu, 7 Mar 2024, at 08:15, Daniel Stenberg via curl-library wrote:
> Hello,
>
> The TLS 1.3 spec (RFC 8446) was published in August 2018. Over five years ago.
>
> According to radar.cloudflare.com about 93.8% of TSL-using Internet traffic is
> now using TLS 1.3 (or QUIC, which uses TLS 1.3 internally).
>
> At the same time, *three* of the libraries that curl supports do not do TLS
> 1.3 (together with curl): mbedTLS, BearSSL and Secure Transport. Libraries
> that seem to be a little "stuck in the past". I'm not sure if it is a valid
> concern, but if they don't even keep up with a five year old TLS version bump
> that is used widely, what else are they not keeping up with?
>
> I am aware that there are quite a few users using curl with those libraries.
> But maybe they should not?
Personally I agree with your position, but I can't help imagine a lot of
small software projects having conniptions if they've spent 5 years using
library X only to find out that it's not supported in the future.
Perhaps its worth asking those library authors directly how they're handling
keeping up with modern TLS, and also what their position might be if the Worlds
Most Popular Library(tm) rug-pulled their support?
I expect their most plausible commercial step would be *not* to upgrade
libcurl, better to preserve compatibility, which would overall not be a win
for security and reliability of libcurl and friends.
A+
Dave
Date: Fri, 08 Mar 2024 07:28:53 +0000
On Thu, 7 Mar 2024, at 08:15, Daniel Stenberg via curl-library wrote:
> Hello,
>
> The TLS 1.3 spec (RFC 8446) was published in August 2018. Over five years ago.
>
> According to radar.cloudflare.com about 93.8% of TSL-using Internet traffic is
> now using TLS 1.3 (or QUIC, which uses TLS 1.3 internally).
>
> At the same time, *three* of the libraries that curl supports do not do TLS
> 1.3 (together with curl): mbedTLS, BearSSL and Secure Transport. Libraries
> that seem to be a little "stuck in the past". I'm not sure if it is a valid
> concern, but if they don't even keep up with a five year old TLS version bump
> that is used widely, what else are they not keeping up with?
>
> I am aware that there are quite a few users using curl with those libraries.
> But maybe they should not?
Personally I agree with your position, but I can't help imagine a lot of
small software projects having conniptions if they've spent 5 years using
library X only to find out that it's not supported in the future.
Perhaps its worth asking those library authors directly how they're handling
keeping up with modern TLS, and also what their position might be if the Worlds
Most Popular Library(tm) rug-pulled their support?
I expect their most plausible commercial step would be *not* to upgrade
libcurl, better to preserve compatibility, which would overall not be a win
for security and reliability of libcurl and friends.
A+
Dave
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2024-03-08