curl: introduce the --tlsv1.3 option to force TLS 1.3

Fully implemented with the NSS backend only for now.

Reviewed-by: Ray Satiro

5 files changed, 15 insertions, 3 deletions

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 0917c683a..8f74ff7b2 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -10,6 +10,7 @@ This release includes the following changes:
 
  o nss: map CURL_SSLVERSION_DEFAULT to NSS default
  o vtls: support TLS 1.3 via CURL_SSLVERSION_TLSv1_3
+ o curl: introduce the --tlsv1.3 option to force TLS 1.3
  o
 
 This release includes the following bugfixes:
diff --git a/docs/curl.1 b/docs/curl.1
index 9e96d0c98..bc0612f0c 100644
--- a/docs/curl.1
+++ b/docs/curl.1
@@ -176,9 +176,9 @@ HTTP 2 to negotiate HTTP 2 support with the server during https sessions.
 .IP "-1, --tlsv1"
 (SSL)
 Forces curl to use TLS version 1.x when negotiating with a remote TLS server.
-You can use options \fI--tlsv1.0\fP, \fI--tlsv1.1\fP, and \fI--tlsv1.2\fP to
-control the TLS version more precisely (if the SSL backend in use supports such
-a level of control).
+You can use options \fI--tlsv1.0\fP, \fI--tlsv1.1\fP, \fI--tlsv1.2\fP, and
+\fI--tlsv1.3\fP to control the TLS version more precisely (if the SSL backend
+in use supports such a level of control).
 .IP "-2, --sslv2"
 (SSL) Forces curl to use SSL version 2 when negotiating with a remote SSL
 server. Sometimes curl is built without SSLv2 support. SSLv2 is widely
@@ -1825,6 +1825,10 @@ Forces curl to use TLS version 1.1 when negotiating with a remote TLS server.
 (SSL)
 Forces curl to use TLS version 1.2 when negotiating with a remote TLS server.
 (Added in 7.34.0)
+.IP "--tlsv1.3"
+(SSL)
+Forces curl to use TLS version 1.3 when negotiating with a remote TLS server.
+(Added in 7.51.1)
 .IP "--tr-encoding"
 (HTTP) Request a compressed Transfer-Encoding response using one of the
 algorithms curl supports, and uncompress the data while receiving it.
diff --git a/src/tool_getparam.c b/src/tool_getparam.c
index 95dd4555f..2d16e066d 100644
--- a/src/tool_getparam.c
+++ b/src/tool_getparam.c
@@ -190,6 +190,7 @@ static const struct LongShort aliases[]= {
   {"10",  "tlsv1.0",                 FALSE},
   {"11",  "tlsv1.1",                 FALSE},
   {"12",  "tlsv1.2",                 FALSE},
+  {"13",  "tlsv1.3",                 FALSE},
   {"2",  "sslv2",                    FALSE},
   {"3",  "sslv3",                    FALSE},
   {"4",  "ipv4",                     FALSE},
@@ -1061,6 +1062,10 @@ ParameterError getparameter(char *flag,    /* f or -long-flag */
         /* TLS version 1.2 */
         config->ssl_version = CURL_SSLVERSION_TLSv1_2;
         break;
+      case '3':
+        /* TLS version 1.3 */
+        config->ssl_version = CURL_SSLVERSION_TLSv1_3;
+        break;
       }
       break;
     case '2':
diff --git a/src/tool_help.c b/src/tool_help.c
index fb428c9ca..9890cc83b 100644
--- a/src/tool_help.c
+++ b/src/tool_help.c
@@ -232,6 +232,7 @@ static const char *const helptext[] = {
   "     --tlsv1.0       Use TLSv1.0 (SSL)",
   "     --tlsv1.1       Use TLSv1.1 (SSL)",
   "     --tlsv1.2       Use TLSv1.2 (SSL)",
+  "     --tlsv1.3       Use TLSv1.3 (SSL)",
   "     --trace FILE    Write a debug trace to FILE",
   "     --trace-ascii FILE  Like --trace, but without hex output",
   "     --trace-time    Add time stamps to trace/verbose output",
diff --git a/src/tool_setopt.c b/src/tool_setopt.c
index c854225e4..f3de09dee 100644
--- a/src/tool_setopt.c
+++ b/src/tool_setopt.c
@@ -83,6 +83,7 @@ const NameValue setopt_nv_CURL_SSLVERSION[] = {
   NV(CURL_SSLVERSION_TLSv1_0),
   NV(CURL_SSLVERSION_TLSv1_1),
   NV(CURL_SSLVERSION_TLSv1_2),
+  NV(CURL_SSLVERSION_TLSv1_3),
   NVEND,
 };