RE: http.sslVersion only specifies minimum TLS version, later versions are allowed

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On May 3, 2021 4:46 PM, Jeff King wrote:
>On Mon, May 03, 2021 at 03:02:10PM +0000, Daniel Carpenter wrote:
>
>> > Just looking at how the curl binary does it, "--tlsv1.2" means "1.2
>> > or greater" (which is not at all surprising; the library interface
>> > tends to mirror their command-line and vice versa, and our behavior
>> > is influenced by the library interface here).  But that implies to
>> > me that curl folks considered this and though the "or greater"
>> > behavior was useful (which makes sense -- the main goal is probably
>> > to avoid insecurities in older versions of the protocol).
>> >
>> > Anyway, the binary also has --tls-max for capping the maximum version.
>> > That seems more flexible in general than "use this version exactly"
>> > (if you only care that 1.3 is broken, then setting "max=1.2" lets
>> > you talk to servers that support 1.1 or 1.2).
>> >
>> > -Peff
>>
>> I agree that the current behaviour is better for most users, and that
>> some kind of separate "max" config option would work for anyone in my
>> situation.
>>
>> Another idea would be to keep the current behaviour for
>> `http.sslVersion`, but use an exact match with the environment
>> variable only. That already takes priority, and I imagine its main
>> appeal over the config option is for users that want to try something
>> with a specific TLS version.
>
>I think you're right that it may work for many people, but I'd shy away from it
>simply because it's subtle and hard to explain.
>
>Adding config and environment variables for "max" is pretty straight-forward to
>explain. I think it would also make sense to improve the documentation for
>http.sslVersion to make it clear that this is a minimum (the current wording is
>quite misleading).

What if http.sslVersion=v1[,v2]... were supported, so there would be an enumeration of allowed versions. The benefit of an enumeration is that you could force something like 3.0-fips if your environment requires a FIPS-certified version for communication. Admittedly this is a different use case than discussed above.

Just a thought.

Randall
[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux