New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
--tls-max 1.1
should imply --http1.1
#8235
Comments
I acknowledge that curl allows any TLS version with HTTP/2. It does however usually require that you as a user select to go that route, meaning that you decided to do something differently. I don't see the harm in curl allowing this. Also, TLS < 1.2 is destined to vanish from the internet soon enough, which might just be another reason why putting effort into enforcing this might not be worth it. |
Yeah, I'm not suggesting that you ignore the |
A further aspect of this is that if a server configured to only support TLS 1.1 improperly negotiates H/2 (e.g. as the latest version of nginx will) then curl will go along with it. Not sure what the "correct" behaviour here should be, given that the other side is misbehaving, but maybe a warning?
|
libcurl doesn't really have any warning system. It just has the verbose messages, and in a case like this libcurl is already talking a lot of verbose messages so saying "ALERT: HTTP/2 connection using < TLS 1.2" I doubt many users will care, if even notice at all. I would not object to such a line though. Perhaps that's even the best we can do about this. We don't have any existing good ways to insist on TLS 1.2 for HTTP/2 in libcurl right now, as the protocols are fairly independent. We don't even know if HTTP/2 is going to be used until after the TLS handshake, so basically the only action we have would be to force-close such a connection and retry it again with a raised minimum TLS requirement. And if it negotiated TLS < 1.2 in the first place, chances are it will fail in a subsequent 1.2 attempt. Is that going to make anyone happier? I mean apart from perhaps someone reading the HTTP/2 spec and checking off compliance check-marks? Maybe the best "fix" for now is to simply document that we don't enforce this requirement. We could of course insist on using < HTTP/2 when TLS < 1.2 is asked for. Will this make any users happier? |
Both for --http2 and CURLOPT_HTTP_VERSION. Reported-by: jhoyla on github Fixes #8235
Both for --http2 and CURLOPT_HTTP_VERSION. Reported-by: jhoyla on github Fixes #8235
According to the H/2 spec H/2 MUST use TLS 1.2 or higher:
https://datatracker.ietf.org/doc/html/rfc7540#section-9.2
However if I run:
curl offers h2 in the ALPN.
--tls-max 1.1
should imply--http1.1
This is something of the inverse of Issue #7980 and TODO 5.7
The text was updated successfully, but these errors were encountered: