diff options
author | Daniel Stenberg <daniel@haxx.se> | 2018-05-29 16:12:52 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2018-05-29 16:12:52 +0200 |
commit | 050c93c46f5bc880897152419200e60da56b46e0 (patch) | |
tree | 511d0b0030464cb8a666b312d578332f86ecc1b5 | |
parent | 5005ade2ce57e0e71439aa6639eb70414db949b8 (diff) |
setopt: add TLS 1.3 ciphersuites
Adds CURLOPT_TLS13_CIPHERS and CURLOPT_PROXY_TLS13_CIPHERS.
curl: added --tls13-ciphers and --proxy-tls13-ciphers
Fixes #2435
Reported-by: zzq1015 on github
Closes #2607
-rw-r--r-- | docs/CIPHERS.md | 10 | ||||
-rw-r--r-- | docs/cmdline-opts/Makefile.inc | 2 | ||||
-rw-r--r-- | docs/cmdline-opts/proxy-tls13-ciphers.d | 12 | ||||
-rw-r--r-- | docs/cmdline-opts/tls13-ciphers.d | 12 | ||||
-rw-r--r-- | docs/libcurl/curl_easy_setopt.3 | 4 | ||||
-rw-r--r-- | docs/libcurl/opts/CURLOPT_PROXY_TLS13_CIPHERS.3 | 63 | ||||
-rw-r--r-- | docs/libcurl/opts/CURLOPT_TLS13_CIPHERS.3 | 62 | ||||
-rw-r--r-- | docs/libcurl/opts/Makefile.inc | 2 | ||||
-rw-r--r-- | docs/libcurl/symbols-in-versions | 8 | ||||
-rw-r--r-- | include/curl/curl.h | 4 | ||||
-rw-r--r-- | lib/setopt.c | 19 | ||||
-rw-r--r-- | lib/urldata.h | 3 | ||||
-rw-r--r-- | lib/vtls/openssl.c | 24 | ||||
-rw-r--r-- | lib/vtls/vtls.c | 8 | ||||
-rw-r--r-- | lib/vtls/vtls.h | 5 | ||||
-rw-r--r-- | src/tool_cfgable.h | 2 | ||||
-rw-r--r-- | src/tool_getparam.c | 8 | ||||
-rw-r--r-- | src/tool_help.c | 16 | ||||
-rw-r--r-- | src/tool_operate.c | 7 |
19 files changed, 260 insertions, 11 deletions
diff --git a/docs/CIPHERS.md b/docs/CIPHERS.md index e09533b0d..99d9f7dc7 100644 --- a/docs/CIPHERS.md +++ b/docs/CIPHERS.md @@ -142,6 +142,16 @@ libcurl was built to use. This is an attempt to list known cipher names. `ECDHE-RSA-CAMELLIA128-SHA256` `ECDHE-RSA-CAMELLIA256-SHA384` +### TLS 1.3 cipher suites + +(Note: the TLS 1.3 cipher suites are set with a separate option.) + +`TLS13-AES-256-GCM-SHA384` +`TLS13-CHACHA20-POLY1305-SHA256` +`TLS13-AES-128-GCM-SHA256` +`TLS13-AES-128-CCM-8-SHA256` +`TLS13-AES-128-CCM-SHA256` + ## NSS ### Totally insecure diff --git a/docs/cmdline-opts/Makefile.inc b/docs/cmdline-opts/Makefile.inc index fb56d2552..67fe1a04b 100644 --- a/docs/cmdline-opts/Makefile.inc +++ b/docs/cmdline-opts/Makefile.inc @@ -47,6 +47,6 @@ DPAGES = abstract-unix-socket.d anyauth.d append.d basic.d cacert.d capath.d cer tlsv1.3.d tlsv1.d trace-ascii.d trace.d trace-time.d tr-encoding.d \ unix-socket.d upload-file.d url.d use-ascii.d user-agent.d user.d \ verbose.d version.d write-out.d xattr.d request-target.d \ - styled-output.d + styled-output.d tls13-ciphers.d proxy-tls13-ciphers.d OTHERPAGES = page-footer page-header diff --git a/docs/cmdline-opts/proxy-tls13-ciphers.d b/docs/cmdline-opts/proxy-tls13-ciphers.d new file mode 100644 index 000000000..3e35b0764 --- /dev/null +++ b/docs/cmdline-opts/proxy-tls13-ciphers.d @@ -0,0 +1,12 @@ +Long: proxy-tls13-ciphers +Arg: <ciphersuite list> +help: TLS 1.3 proxy cipher suites +Protocols: TLS +--- +Specifies which cipher suites to use in the connection to your HTTPS proxy +when it negotiates TLS 1.3. The list of ciphers suites must specify valid +ciphers. Read up on TLS 1.3 cipher suite details on this URL: + + https://curl.haxx.se/docs/ssl-ciphers.html + +If this option is used several times, the last one will be used. diff --git a/docs/cmdline-opts/tls13-ciphers.d b/docs/cmdline-opts/tls13-ciphers.d new file mode 100644 index 000000000..add161595 --- /dev/null +++ b/docs/cmdline-opts/tls13-ciphers.d @@ -0,0 +1,12 @@ +Long: tls13-ciphers +Arg: <list of TLS 1.3 ciphersuites> +help: TLS 1.3 cipher suites to use +Protocols: TLS +--- +Specifies which cipher suites to use in the connection if it negotiates TLS +1.3. The list of ciphers suites must specify valid ciphers. Read up on TLS 1.3 +cipher suite details on this URL: + + https://curl.haxx.se/docs/ssl-ciphers.html + +If this option is used several times, the last one will be used. diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3 index bdaf59f6c..317c7a646 100644 --- a/docs/libcurl/curl_easy_setopt.3 +++ b/docs/libcurl/curl_easy_setopt.3 @@ -548,6 +548,10 @@ Identify EGD socket for entropy. See \fICURLOPT_EGDSOCKET(3)\fP Ciphers to use. See \fICURLOPT_SSL_CIPHER_LIST(3)\fP .IP CURLOPT_PROXY_SSL_CIPHER_LIST Proxy ciphers to use. See \fICURLOPT_PROXY_SSL_CIPHER_LIST(3)\fP +.IP CURLOPT_TLS13_CIPHERS +TLS 1.3 cipher suites to use. See \fICURLOPT_TLS13_CIPHERS(3)\fP +.IP CURLOPT_PROXY_TLS13_CIPHERS +Proxy TLS 1.3 cipher suites to use. See \fICURLOPT_PROXY_TLS13_CIPHERS(3)\fP .IP CURLOPT_SSL_SESSIONID_CACHE Disable SSL session-id cache. See \fICURLOPT_SSL_SESSIONID_CACHE(3)\fP .IP CURLOPT_SSL_OPTIONS diff --git a/docs/libcurl/opts/CURLOPT_PROXY_TLS13_CIPHERS.3 b/docs/libcurl/opts/CURLOPT_PROXY_TLS13_CIPHERS.3 new file mode 100644 index 000000000..372bdeb38 --- /dev/null +++ b/docs/libcurl/opts/CURLOPT_PROXY_TLS13_CIPHERS.3 @@ -0,0 +1,63 @@ +.\" ************************************************************************** +.\" * _ _ ____ _ +.\" * Project ___| | | | _ \| | +.\" * / __| | | | |_) | | +.\" * | (__| |_| | _ <| |___ +.\" * \___|\___/|_| \_\_____| +.\" * +.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al. +.\" * +.\" * This software is licensed as described in the file COPYING, which +.\" * you should have received as part of this distribution. The terms +.\" * are also available at https://curl.haxx.se/docs/copyright.html. +.\" * +.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell +.\" * copies of the Software, and permit persons to whom the Software is +.\" * furnished to do so, under the terms of the COPYING file. +.\" * +.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY +.\" * KIND, either express or implied. +.\" * +.\" ************************************************************************** +.\" +.TH CURLOPT_PROXY_TLS13_CIPHERS 3 "25 May 2018" "libcurl 7.61.0" "curl_easy_setopt options" +.SH NAME +CURLOPT_PROXY_TLS13_CIPHERS \- ciphers suites for proxy TLS 1.3 +.SH SYNOPSIS +#include <curl/curl.h> + +CURLcode curl_easy_setopt(CURL *handle, CURLOPT_PROXY_TLS13_CIPHERS, char *list); +.SH DESCRIPTION +Pass a char *, pointing to a zero terminated string holding the list of cipher +suites to use for the TLS 1.3 connection to a proxy. The list must be +syntactically correct, it consists of one or more cipher suite strings +separated by colons. + +You'll find more details about cipher lists on this URL: + + https://curl.haxx.se/docs/ssl-ciphers.html + +The application does not have to keep the string around after setting this +option. +.SH DEFAULT +NULL, use internal default +.SH PROTOCOLS +All TLS based protocols: HTTPS, FTPS, IMAPS, POP3S, SMTPS etc. +.SH EXAMPLE +.nf +CURL *curl = curl_easy_init(); +if(curl) { + curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/"); + curl_easy_setopt(curl, CURLOPT_PROXY_TLS13_CIPHERS, + "TLS13-CHACHA20-POLY1305-SHA256"); + ret = curl_easy_perform(curl); + curl_easy_cleanup(curl); +} +.fi +.SH AVAILABILITY +Added in 7.61.0. +Available when built with OpenSSL >= 1.1.1. +.SH RETURN VALUE +Returns CURLE_OK if supported, CURLE_NOT_BUILT_IN otherwise. +.SH "SEE ALSO" +.BR CURLOPT_SSLVERSION "(3), " CURLOPT_TLS13_CIPHERS "(3), " diff --git a/docs/libcurl/opts/CURLOPT_TLS13_CIPHERS.3 b/docs/libcurl/opts/CURLOPT_TLS13_CIPHERS.3 new file mode 100644 index 000000000..85400780c --- /dev/null +++ b/docs/libcurl/opts/CURLOPT_TLS13_CIPHERS.3 @@ -0,0 +1,62 @@ +.\" ************************************************************************** +.\" * _ _ ____ _ +.\" * Project ___| | | | _ \| | +.\" * / __| | | | |_) | | +.\" * | (__| |_| | _ <| |___ +.\" * \___|\___/|_| \_\_____| +.\" * +.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al. +.\" * +.\" * This software is licensed as described in the file COPYING, which +.\" * you should have received as part of this distribution. The terms +.\" * are also available at https://curl.haxx.se/docs/copyright.html. +.\" * +.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell +.\" * copies of the Software, and permit persons to whom the Software is +.\" * furnished to do so, under the terms of the COPYING file. +.\" * +.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY +.\" * KIND, either express or implied. +.\" * +.\" ************************************************************************** +.\" +.TH CURLOPT_TLS13_CIPHERS 3 "25 May 2018" "libcurl 7.61.0" "curl_easy_setopt options" +.SH NAME +CURLOPT_TLS13_CIPHERS \- specify ciphers suites to use for TLS 1.3 +.SH SYNOPSIS +#include <curl/curl.h> + +CURLcode curl_easy_setopt(CURL *handle, CURLOPT_TLS13_CIPHERS, char *list); +.SH DESCRIPTION +Pass a char *, pointing to a zero terminated string holding the list of cipher +suites to use for the TLS 1.3 connection. The list must be syntactically +correct, it consists of one or more cipher suite strings separated by colons. + +You'll find more details about cipher lists on this URL: + + https://curl.haxx.se/docs/ssl-ciphers.html + +The application does not have to keep the string around after setting this +option. +.SH DEFAULT +NULL, use internal default +.SH PROTOCOLS +All TLS based protocols: HTTPS, FTPS, IMAPS, POP3S, SMTPS etc. +.SH EXAMPLE +.nf +CURL *curl = curl_easy_init(); +if(curl) { + curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/"); + curl_easy_setopt(curl, CURLOPT_TLS13_CIPHERS, + "TLS13-CHACHA20-POLY1305-SHA256"); + ret = curl_easy_perform(curl); + curl_easy_cleanup(curl); +} +.fi +.SH AVAILABILITY +Added in 7.61.0. +Available when built with OpenSSL >= 1.1.1. +.SH RETURN VALUE +Returns CURLE_OK if supported, CURLE_NOT_BUILT_IN otherwise. +.SH "SEE ALSO" +.BR CURLOPT_SSLVERSION "(3), " CURLOPT_PROXY_TLS13_CIPHERS "(3), " diff --git a/docs/libcurl/opts/Makefile.inc b/docs/libcurl/opts/Makefile.inc index 74a76a7dd..5db8b8f3e 100644 --- a/docs/libcurl/opts/Makefile.inc +++ b/docs/libcurl/opts/Makefile.inc @@ -237,6 +237,7 @@ man_MANS = \ CURLOPT_PROXY_SSL_OPTIONS.3 \ CURLOPT_PROXY_SSL_VERIFYHOST.3 \ CURLOPT_PROXY_SSL_VERIFYPEER.3 \ + CURLOPT_PROXY_TLS13_CIPHERS.3 \ CURLOPT_PROXY_TLSAUTH_PASSWORD.3 \ CURLOPT_PROXY_TLSAUTH_TYPE.3 \ CURLOPT_PROXY_TLSAUTH_USERNAME.3 \ @@ -315,6 +316,7 @@ man_MANS = \ CURLOPT_TIMEOUT_MS.3 \ CURLOPT_TIMEVALUE.3 \ CURLOPT_TIMEVALUE_LARGE.3 \ + CURLOPT_TLS13_CIPHERS.3 \ CURLOPT_TLSAUTH_PASSWORD.3 \ CURLOPT_TLSAUTH_TYPE.3 \ CURLOPT_TLSAUTH_USERNAME.3 \ diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions index f3ad33510..4b6e74346 100644 --- a/docs/libcurl/symbols-in-versions +++ b/docs/libcurl/symbols-in-versions @@ -101,8 +101,8 @@ CURLE_PEER_FAILED_VERIFICATION 7.17.1 CURLE_QUOTE_ERROR 7.17.0 CURLE_RANGE_ERROR 7.17.0 CURLE_READ_ERROR 7.1 -CURLE_RECV_ERROR 7.10 CURLE_RECURSIVE_API_CALL 7.59.0 +CURLE_RECV_ERROR 7.10 CURLE_REMOTE_ACCESS_DENIED 7.17.0 CURLE_REMOTE_DISK_FULL 7.17.0 CURLE_REMOTE_FILE_EXISTS 7.17.0 @@ -514,6 +514,7 @@ CURLOPT_PROXY_SSL_CIPHER_LIST 7.52.0 CURLOPT_PROXY_SSL_OPTIONS 7.52.0 CURLOPT_PROXY_SSL_VERIFYHOST 7.52.0 CURLOPT_PROXY_SSL_VERIFYPEER 7.52.0 +CURLOPT_PROXY_TLS13_CIPHERS 7.61.0 CURLOPT_PROXY_TLSAUTH_PASSWORD 7.52.0 CURLOPT_PROXY_TLSAUTH_TYPE 7.52.0 CURLOPT_PROXY_TLSAUTH_USERNAME 7.52.0 @@ -528,6 +529,8 @@ CURLOPT_REDIR_PROTOCOLS 7.19.4 CURLOPT_REFERER 7.1 CURLOPT_REQUEST_TARGET 7.55.0 CURLOPT_RESOLVE 7.21.3 +CURLOPT_RESOLVER_START_DATA 7.59.0 +CURLOPT_RESOLVER_START_FUNCTION 7.59.0 CURLOPT_RESUME_FROM 7.1 CURLOPT_RESUME_FROM_LARGE 7.11.0 CURLOPT_RTSPHEADER 7.20.0 @@ -602,13 +605,12 @@ CURLOPT_TIMEOUT 7.1 CURLOPT_TIMEOUT_MS 7.16.2 CURLOPT_TIMEVALUE 7.1 CURLOPT_TIMEVALUE_LARGE 7.59.0 +CURLOPT_TLS13_CIPHERS 7.61.0 CURLOPT_TLSAUTH_PASSWORD 7.21.4 CURLOPT_TLSAUTH_TYPE 7.21.4 CURLOPT_TLSAUTH_USERNAME 7.21.4 CURLOPT_TRANSFERTEXT 7.1.1 CURLOPT_TRANSFER_ENCODING 7.21.6 -CURLOPT_RESOLVER_START_FUNCTION 7.59.0 -CURLOPT_RESOLVER_START_DATA 7.59.0 CURLOPT_UNIX_SOCKET_PATH 7.40.0 CURLOPT_UNRESTRICTED_AUTH 7.10.4 CURLOPT_UPLOAD 7.1 diff --git a/include/curl/curl.h b/include/curl/curl.h index b7f75da75..034c6da7e 100644 --- a/include/curl/curl.h +++ b/include/curl/curl.h @@ -1849,6 +1849,10 @@ typedef enum { /* shuffle addresses before use when DNS returns multiple */ CINIT(DNS_SHUFFLE_ADDRESSES, LONG, 275), + /* Specify which TLS 1.3 ciphers suites to use */ + CINIT(TLS13_CIPHERS, STRINGPOINT, 276), + CINIT(PROXY_TLS13_CIPHERS, STRINGPOINT, 277), + CURLOPT_LASTENTRY /* the last unused */ } CURLoption; diff --git a/lib/setopt.c b/lib/setopt.c index c1f6bd97e..93a4dd2b5 100644 --- a/lib/setopt.c +++ b/lib/setopt.c @@ -142,6 +142,25 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_arg(param, char *)); break; + case CURLOPT_TLS13_CIPHERS: + if(Curl_ssl_tls13_ciphersuites()) { + /* set preferred list of TLS 1.3 cipher suites */ + result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER13_LIST_ORIG], + va_arg(param, char *)); + } + else + return CURLE_NOT_BUILT_IN; + break; + case CURLOPT_PROXY_TLS13_CIPHERS: + if(Curl_ssl_tls13_ciphersuites()) { + /* set preferred list of TLS 1.3 cipher suites for proxy */ + result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER13_LIST_PROXY], + va_arg(param, char *)); + } + else + return CURLE_NOT_BUILT_IN; + break; + case CURLOPT_RANDOM_FILE: /* * This is the path name to a file that contains random data to seed diff --git a/lib/urldata.h b/lib/urldata.h index 9a821aa5a..f1b67c3d1 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -227,6 +227,7 @@ struct ssl_primary_config { char *random_file; /* path to file containing "random" data */ char *egdsocket; /* path to file containing the EGD daemon socket */ char *cipher_list; /* list of ciphers to use */ + char *cipher_list13; /* list of TLS 1.3 cipher suites to use */ }; struct ssl_config_data { @@ -1401,6 +1402,8 @@ enum dupstring { STRING_SSL_PINNEDPUBLICKEY_PROXY, /* public key file to verify proxy */ STRING_SSL_CIPHER_LIST_ORIG, /* list of ciphers to use */ STRING_SSL_CIPHER_LIST_PROXY, /* list of ciphers to use */ + STRING_SSL_CIPHER13_LIST_ORIG, /* list of TLS 1.3 ciphers to use */ + STRING_SSL_CIPHER13_LIST_PROXY, /* list of TLS 1.3 ciphers to use */ STRING_SSL_EGDSOCKET, /* path to file containing the EGD daemon socket */ STRING_SSL_RANDOM_FILE, /* path to file containing "random" data */ STRING_USERAGENT, /* User-Agent string */ diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index a7bbdb2fd..4a5f37060 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -166,6 +166,17 @@ static unsigned long OpenSSL_version_num(void) #define HAVE_KEYLOG_CALLBACK #endif +/* Whether SSL_CTX_set_ciphersuites is available. + * OpenSSL: supported since 1.1.1 (commit a53b5be6a05) + * BoringSSL: no + * LibreSSL: no + */ +#if ((OPENSSL_VERSION_NUMBER >= 0x10101000L) && \ + !defined(LIBRESSL_VERSION_NUMBER) && \ + !defined(OPENSSL_IS_BORINGSSL)) +#define HAVE_SSL_CTX_SET_CIPHERSUITES +#endif + #if defined(LIBRESSL_VERSION_NUMBER) #define OSSL_PACKAGE "LibreSSL" #elif defined(OPENSSL_IS_BORINGSSL) @@ -2413,6 +2424,19 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) infof(data, "Cipher selection: %s\n", ciphers); } +#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES + { + char *ciphers13 = SSL_CONN_CONFIG(cipher_list13); + if(ciphers13) { + if(!SSL_CTX_set_ciphersuites(BACKEND->ctx, ciphers13)) { + failf(data, "failed setting TLS 1.3 cipher suite: %s", ciphers); + return CURLE_SSL_CIPHER; + } + infof(data, "TLS 1.3 cipher selection: %s\n", ciphers13); + } + } +#endif + #ifdef USE_TLS_SRP if(ssl_authtype == CURL_TLSAUTH_SRP) { char * const ssl_username = SSL_SET_OPTION(username); diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c index ee5bc7a0a..bf96518bc 100644 --- a/lib/vtls/vtls.c +++ b/lib/vtls/vtls.c @@ -980,6 +980,14 @@ bool Curl_ssl_false_start(void) } /* + * Check whether the SSL backend supports setting TLS 1.3 cipher suites + */ +bool Curl_ssl_tls13_ciphersuites(void) +{ + return Curl_ssl->supports & SSLSUPP_TLS13_CIPHERSUITES; +} + +/* * Default implementations for unsupported functions. */ diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h index e7b87c4d3..40f9d7479 100644 --- a/lib/vtls/vtls.h +++ b/lib/vtls/vtls.h @@ -31,6 +31,7 @@ struct ssl_connect_data; #define SSLSUPP_PINNEDPUBKEY (1<<2) /* supports CURLOPT_PINNEDPUBLICKEY */ #define SSLSUPP_SSL_CTX (1<<3) /* supports CURLOPT_SSL_CTX */ #define SSLSUPP_HTTPS_PROXY (1<<4) /* supports access via HTTPS proxies */ +#define SSLSUPP_TLS13_CIPHERSUITES (1<<5) /* supports TLS 1.3 ciphersuites */ struct Curl_ssl { /* @@ -93,6 +94,7 @@ CURLcode Curl_none_set_engine(struct Curl_easy *data, const char *engine); CURLcode Curl_none_set_engine_default(struct Curl_easy *data); struct curl_slist *Curl_none_engines_list(struct Curl_easy *data); bool Curl_none_false_start(void); +bool Curl_ssl_tls13_ciphersuites(void); CURLcode Curl_none_md5sum(unsigned char *input, size_t inputlen, unsigned char *md5sum, size_t md5len); @@ -246,7 +248,7 @@ bool Curl_ssl_false_start(void); #define SSL_SHUTDOWN_TIMEOUT 10000 /* ms */ -#else +#else /* if not USE_SSL */ /* When SSL support is not present, just define away these function calls */ #define Curl_ssl_init() 1 @@ -270,6 +272,7 @@ bool Curl_ssl_false_start(void); #define Curl_ssl_random(x,y,z) ((void)x, CURLE_NOT_BUILT_IN) #define Curl_ssl_cert_status_request() FALSE #define Curl_ssl_false_start() FALSE +#define Curl_ssl_tls13_ciphersuites() FALSE #endif #endif /* HEADER_CURL_VTLS_H */ diff --git a/src/tool_cfgable.h b/src/tool_cfgable.h index 9d995f85e..237c2bd7f 100644 --- a/src/tool_cfgable.h +++ b/src/tool_cfgable.h @@ -117,6 +117,8 @@ struct OperationConfig { struct getout *url_ul; /* point to the node to fill in upload */ char *cipher_list; char *proxy_cipher_list; + char *cipher13_list; + char *proxy_cipher13_list; char *cert; char *proxy_cert; char *cert_type; diff --git a/src/tool_getparam.c b/src/tool_getparam.c index e83373c37..a9f448112 100644 --- a/src/tool_getparam.c +++ b/src/tool_getparam.c @@ -201,6 +201,8 @@ static const struct LongShort aliases[]= { {"11", "tlsv1.1", ARG_NONE}, {"12", "tlsv1.2", ARG_NONE}, {"13", "tlsv1.3", ARG_NONE}, + {"1A", "tls13-ciphers", ARG_STRING}, + {"1B", "proxy-tls13-ciphers", ARG_STRING}, {"2", "sslv2", ARG_NONE}, {"3", "sslv3", ARG_NONE}, {"4", "ipv4", ARG_NONE}, @@ -1177,6 +1179,12 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ /* TLS version 1.3 */ config->ssl_version = CURL_SSLVERSION_TLSv1_3; break; + case 'A': /* --tls13-ciphers */ + GetStr(&config->cipher13_list, nextarg); + break; + case 'B': /* --proxy-tls13-ciphers */ + GetStr(&config->proxy_cipher13_list, nextarg); + break; } break; case '2': diff --git a/src/tool_help.c b/src/tool_help.c index 7c4dda3b0..3218cf67d 100644 --- a/src/tool_help.c +++ b/src/tool_help.c @@ -160,12 +160,12 @@ static const struct helptxt helptext[] = { "Put the post data in the URL and use GET"}, {"-g, --globoff", "Disable URL sequences and ranges using {} and []"}, - {" --happy-eyeballs-timeout-ms", + {" --happy-eyeballs-timeout-ms <milliseconds>", "How long to wait in milliseconds for IPv6 before trying IPv4"}, - {"-I, --head", - "Show document info only"}, {" --haproxy-protocol", "Send HAProxy PROXY protocol v1 header"}, + {"-I, --head", + "Show document info only"}, {"-H, --header <header/@file>", "Pass custom header(s) to server"}, {"-h, --help", @@ -297,7 +297,7 @@ static const struct helptxt helptext[] = { {" --proxy-cert <cert[:passwd]>", "Set client certificate for proxy"}, {" --proxy-cert-type <type>", - "Client certificate type for HTTS proxy"}, + "Client certificate type for HTTPS proxy"}, {" --proxy-ciphers <list>", "SSL ciphers to use for proxy"}, {" --proxy-crlfile <file>", @@ -324,6 +324,8 @@ static const struct helptxt helptext[] = { "SPNEGO proxy service name"}, {" --proxy-ssl-allow-beast", "Allow security flaw for interop for HTTPS proxy"}, + {" --proxy-tls13-ciphers <ciphersuite list>", + "TLS 1.3 proxy cipher suites"}, {" --proxy-tlsauthtype <type>", "TLS authentication type for HTTPS proxy"}, {" --proxy-tlspassword <string>", @@ -337,7 +339,7 @@ static const struct helptxt helptext[] = { {" --proxy1.0 <host[:port]>", "Use HTTP/1.0 proxy on given port"}, {"-p, --proxytunnel", - "Operate through a HTTP proxy tunnel (using CONNECT)"}, + "Operate through an HTTP proxy tunnel (using CONNECT)"}, {" --pubkey <key>", "SSH Public key file name"}, {"-Q, --quote", @@ -362,7 +364,7 @@ static const struct helptxt helptext[] = { "Specify request command to use"}, {" --request-target", "Specify the target for this request"}, - {" --resolve <host:port:address>", + {" --resolve <host:port:address[,address]...>", "Resolve the host+port to this address"}, {" --retry <num>", "Retry request if transient problems occur"}, @@ -432,6 +434,8 @@ static const struct helptxt helptext[] = { "Transfer based on a time condition"}, {" --tls-max <VERSION>", "Use TLSv1.0 or greater"}, + {" --tls13-ciphers <list of TLS 1.3 ciphersuites>", + "TLS 1.3 cipher suites to use"}, {" --tlsauthtype <type>", "TLS authentication type"}, {" --tlspassword", diff --git a/src/tool_operate.c b/src/tool_operate.c index 5be862228..0a1b1a48d 100644 --- a/src/tool_operate.c +++ b/src/tool_operate.c @@ -1216,6 +1216,13 @@ static CURLcode operate_do(struct GlobalConfig *global, my_setopt_str(curl, CURLOPT_PROXY_SSL_CIPHER_LIST, config->proxy_cipher_list); + if(config->cipher13_list) + my_setopt_str(curl, CURLOPT_TLS13_CIPHERS, config->cipher13_list); + + if(config->proxy_cipher13_list) + my_setopt_str(curl, CURLOPT_PROXY_SSL_CIPHER_LIST, + config->proxy_cipher13_list); + /* new in libcurl 7.9.2: */ if(config->disable_epsv) /* disable it */ |