cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: TLS 1.3

From: Kamil Dudka <kdudka_at_redhat.com>
Date: Mon, 24 Oct 2016 10:16 +0200

On Friday, October 21, 2016 11:37:04 Daniel Stenberg wrote:
> Hi friends,
>
> TLS 1.3 is approaching fast (it has not yet been finalized but chances are
> that no big changes will be made anymore to the protocol). Firefox 52
> (availably as "nightly") enables it by default (powered by NSS) and Chrome
> "canary" is shipping it (enable through "chrome://flags/").
>
> Cloudflare runs TLS 1.3 compliant servers you can try your HTTPS client
> against.
>
> In curl we have not taken any steps toward this yet, but it seems about time
> we do. Using the NSS backend we should be able to run early tests already
> now, and when OpenSSL and others catch up later on we can just bump them up
> one by one as we've done in the past with other TLS features.

By taking steps toward this you mean to introduce the CURL_SSLVERSION_TLSv1_3
constant in curl.h (and --tlsv1.3 option of curl) and pass it to NSS?

That sounds like a good idea. On the other hand, I would be careful with
enabling it by default because there was already a patch release of NSS to
re-disable TLS 1.3 by default:

    https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.27.1_release_notes

Kamil
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-10-24