Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: Suggestion: TLSv1.3 Handshake downgrade detection and protection
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Dan Fandrich via curl-users <curl-users_at_lists.haxx.se>
Date: Thu, 21 Oct 2021 16:10:43 -0700
On Thu, Oct 21, 2021 at 10:31:38PM +0000, David Hu via curl-users wrote:
> By the way if curl is specified to negotiate TLSv1.3 but the ServerHello shows it only supports TLSv1.2 or lower AND it contains either the following bytes 44 4F 57 4E 47 52 44 01 or 44 4F 57 4E 47 52 44 00 curl should immediately abort the handshake process.
>
> And if a user chooses a lower TLS version than TLSv1.3 while the server supports TLSv1.3 curl should show a warning.
Shouldn't this be handled by the TLS layer? It knows that version it's trying
to negotiate.
Date: Thu, 21 Oct 2021 16:10:43 -0700
On Thu, Oct 21, 2021 at 10:31:38PM +0000, David Hu via curl-users wrote:
> By the way if curl is specified to negotiate TLSv1.3 but the ServerHello shows it only supports TLSv1.2 or lower AND it contains either the following bytes 44 4F 57 4E 47 52 44 01 or 44 4F 57 4E 47 52 44 00 curl should immediately abort the handshake process.
>
> And if a user chooses a lower TLS version than TLSv1.3 while the server supports TLSv1.3 curl should show a warning.
Shouldn't this be handled by the TLS layer? It knows that version it's trying
to negotiate.
-- Unsubscribe: https://lists.haxx.se/listinfo/curl-users Etiquette: https://curl.haxx.se/mail/etiquette.htmlReceived on 2021-10-22