Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: Time to deprecate TLS 1.0 and 1.1 ?
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Christian Schmitz via curl-library <curl-library_at_lists.haxx.se>
Date: Fri, 11 Jul 2025 08:07:41 +0200
> On 10. Jul 2025, at 23:23, Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se> wrote:
>
> Right,
>
> For all reasons, see RFC 8996 => https://datatracker.ietf.org/doc/html/rfc8996
> 2. We give everyone six more months to adapt, protest or similar and then in
> March 2026 we make libcurl return error if asked to use anything lower than
> 1.2
There may be plenty of old code around, that explicitly puts in CURL_SSLVERSION_TLSv1_0 or CURL_SSLVERSION_TLSv1_1.
From a time where we had SSL v3 as default and we wanted to get better TLS 1.0 or 1.1.
I would suggest to allow it, output a warning in the debug log "TLS 1.0 no longer available, using TLS 1.3 instead." and switch to TLS 1.3.
If some old code requests CURL_SSLVERSION_TLSv1_0 or CURL_SSLVERSION_TLSv1_1, you handle it like CURL_SSLVERSION_TLSv1 and use 1.3 with 1.2 as fallback.
Greetings
Christian
—
See you at the EngageU conference
9th to 11th November 2025 in Antwerpen, Belgium
https://engageu.eu/
Date: Fri, 11 Jul 2025 08:07:41 +0200
> On 10. Jul 2025, at 23:23, Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se> wrote:
>
> Right,
>
> For all reasons, see RFC 8996 => https://datatracker.ietf.org/doc/html/rfc8996
> 2. We give everyone six more months to adapt, protest or similar and then in
> March 2026 we make libcurl return error if asked to use anything lower than
> 1.2
There may be plenty of old code around, that explicitly puts in CURL_SSLVERSION_TLSv1_0 or CURL_SSLVERSION_TLSv1_1.
From a time where we had SSL v3 as default and we wanted to get better TLS 1.0 or 1.1.
I would suggest to allow it, output a warning in the debug log "TLS 1.0 no longer available, using TLS 1.3 instead." and switch to TLS 1.3.
If some old code requests CURL_SSLVERSION_TLSv1_0 or CURL_SSLVERSION_TLSv1_1, you handle it like CURL_SSLVERSION_TLSv1 and use 1.3 with 1.2 as fallback.
Greetings
Christian
—
See you at the EngageU conference
9th to 11th November 2025 in Antwerpen, Belgium
https://engageu.eu/
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2025-07-11