-
Notifications
You must be signed in to change notification settings - Fork 289
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use TLSv1.3 with curl if specified at all #1670
base: master
Are you sure you want to change the base?
Conversation
The curl option specified to use TLSv1.2 explicity while nowadays 1.3 is availalble and recommended. Switch to specifying 1.3 instead of 1.2 for the command that downloads the install script.
r? @rust-lang/release |
Do you have links/pointers to changelogs for curl and the likelihood of this option being available in distros etc? I'd want us to avoid suggesting a command that will fail for users in practice due to an older curl locally, particularly when (AIUI) the security benefits in this case are likely to be fairly small. |
For a quick sample -- RHEL7 has |
https://daniel.haxx.se/blog/2018/03/27/play-tls-1-3-with-curl/
RHEL7 only has curl 7.29.0, but the |
Also, curl/curl#2994 updated the help text to say that these options are all "or greater", implying that was already the case, so |
Makes sense to leave it at 1.2 for longer then. Primary motivation was to have the usage of the command aligned in the website, book, and the rustup website/docs, and a PR for this got merged for the book. For security concerns I assume that the server uses the ciphers for 1.2 that are marked secure in https://en.wikipedia.org/wiki/Transport_Layer_Security#Cipher - Not sure about the details of possible TLS 1.2 MITM attacks but I think the TLS cipher matters only if we assume there is a possible attack where the correct server gets connected and the cert gets validated but later in the connection the attacker would inject something and send wrong data (Does this even exist?). In other cases like a malicious server/certificate being accepted in the connection then the cipher selection doesn't matter much. So I would say as long as HTTPS is used it's not really important here to enforce TLS 1.3. |
The curl option specified to use TLSv1.2 explicity while nowadays 1.3
is availalble and recommended.
Switch to specifying 1.3 instead of 1.2 for the command that downloads
the install script.
See rust-lang/book#3130 and rust-lang/rustup#2996