Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: Time to deprecate TLS 1.0 and 1.1 ?
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Fri, 11 Jul 2025 08:49:44 +0200 (CEST)
On Fri, 11 Jul 2025, Christian Schmitz wrote:
> There may be plenty of old code around, that explicitly puts in
> CURL_SSLVERSION_TLSv1_0 or CURL_SSLVERSION_TLSv1_1. From a time where we had
> SSL v3 as default and we wanted to get better TLS 1.0 or 1.1.
Right, now we can't tell if they raise the minimum from SSL v3 or if they
lower the minimum from TLS 1.2 with this.
Not all TLS libraries support < 1.2 these days so it might not get what it
asks for.
> I would suggest to allow it, output a warning in the debug log "TLS 1.0 no
> longer available, using TLS 1.3 instead." and switch to TLS 1.3.
That's for when we completely remove the support, right?
I think we can start by upping the default and stick to that for a period
which might very well extend six months.
The option sets the minimum anyway, so as long as the maximum is >= 1.2 we can
still satisfy the user without having to say anything. And if the maximum is
set < 1.2 when we drop the support, then we better return error to help the
user understand what's going on.
Date: Fri, 11 Jul 2025 08:49:44 +0200 (CEST)
On Fri, 11 Jul 2025, Christian Schmitz wrote:
> There may be plenty of old code around, that explicitly puts in
> CURL_SSLVERSION_TLSv1_0 or CURL_SSLVERSION_TLSv1_1. From a time where we had
> SSL v3 as default and we wanted to get better TLS 1.0 or 1.1.
Right, now we can't tell if they raise the minimum from SSL v3 or if they
lower the minimum from TLS 1.2 with this.
Not all TLS libraries support < 1.2 these days so it might not get what it
asks for.
> I would suggest to allow it, output a warning in the debug log "TLS 1.0 no
> longer available, using TLS 1.3 instead." and switch to TLS 1.3.
That's for when we completely remove the support, right?
I think we can start by upping the default and stick to that for a period
which might very well extend six months.
The option sets the minimum anyway, so as long as the maximum is >= 1.2 we can
still satisfy the user without having to say anything. And if the maximum is
set < 1.2 when we drop the support, then we better return error to help the
user understand what's going on.
-- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2025-07-11