summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2018-05-29 08:23:20 +0200
committerDaniel Stenberg <daniel@haxx.se>2018-05-29 08:23:20 +0200
commitf1351e0925ef83de670d088fd20c67f22718af53 (patch)
tree5a1e66adbddd353bed0ac7ebc2aed79cb8f07a59
parent954284f9192ccc9719e39970f39c7ac2d9090511 (diff)
downloadcurl-bagder/tls13-ciphersuites.tar.gz
setopt: add TLS 1.3 ciphersuitesbagder/tls13-ciphersuites
Adds CURLOPT_TLS13_CIPHERS and CURLOPT_PROXY_TLS13_CIPHERS. curl: added --tls13-ciphers and --proxy-tls13-ciphers Fixes #2435 Reported-by: zzq1015 on github
-rw-r--r--docs/CIPHERS.md10
-rw-r--r--docs/cmdline-opts/Makefile.inc2
-rw-r--r--docs/cmdline-opts/proxy-tls13-ciphers.d12
-rw-r--r--docs/cmdline-opts/tls13-ciphers.d12
-rw-r--r--docs/libcurl/curl_easy_setopt.34
-rw-r--r--docs/libcurl/opts/CURLOPT_PROXY_TLS13_CIPHERS.363
-rw-r--r--docs/libcurl/opts/CURLOPT_TLS13_CIPHERS.362
-rw-r--r--docs/libcurl/opts/Makefile.inc2
-rw-r--r--docs/libcurl/symbols-in-versions8
-rw-r--r--include/curl/curl.h4
-rw-r--r--lib/setopt.c19
-rw-r--r--lib/urldata.h3
-rw-r--r--lib/vtls/openssl.c24
-rw-r--r--lib/vtls/vtls.c8
-rw-r--r--lib/vtls/vtls.h5
-rw-r--r--src/tool_cfgable.h2
-rw-r--r--src/tool_getparam.c8
-rw-r--r--src/tool_help.c16
-rw-r--r--src/tool_operate.c7
19 files changed, 260 insertions, 11 deletions
diff --git a/docs/CIPHERS.md b/docs/CIPHERS.md
index e09533b0d..99d9f7dc7 100644
--- a/docs/CIPHERS.md
+++ b/docs/CIPHERS.md
@@ -142,6 +142,16 @@ libcurl was built to use. This is an attempt to list known cipher names.
`ECDHE-RSA-CAMELLIA128-SHA256`
`ECDHE-RSA-CAMELLIA256-SHA384`
+### TLS 1.3 cipher suites
+
+(Note: the TLS 1.3 cipher suites are set with a separate option.)
+
+`TLS13-AES-256-GCM-SHA384`
+`TLS13-CHACHA20-POLY1305-SHA256`
+`TLS13-AES-128-GCM-SHA256`
+`TLS13-AES-128-CCM-8-SHA256`
+`TLS13-AES-128-CCM-SHA256`
+
## NSS
### Totally insecure
diff --git a/docs/cmdline-opts/Makefile.inc b/docs/cmdline-opts/Makefile.inc
index fb56d2552..67fe1a04b 100644
--- a/docs/cmdline-opts/Makefile.inc
+++ b/docs/cmdline-opts/Makefile.inc
@@ -47,6 +47,6 @@ DPAGES = abstract-unix-socket.d anyauth.d append.d basic.d cacert.d capath.d cer
tlsv1.3.d tlsv1.d trace-ascii.d trace.d trace-time.d tr-encoding.d \
unix-socket.d upload-file.d url.d use-ascii.d user-agent.d user.d \
verbose.d version.d write-out.d xattr.d request-target.d \
- styled-output.d
+ styled-output.d tls13-ciphers.d proxy-tls13-ciphers.d
OTHERPAGES = page-footer page-header
diff --git a/docs/cmdline-opts/proxy-tls13-ciphers.d b/docs/cmdline-opts/proxy-tls13-ciphers.d
new file mode 100644
index 000000000..3e35b0764
--- /dev/null
+++ b/docs/cmdline-opts/proxy-tls13-ciphers.d
@@ -0,0 +1,12 @@
+Long: proxy-tls13-ciphers
+Arg: <ciphersuite list>
+help: TLS 1.3 proxy cipher suites
+Protocols: TLS
+---
+Specifies which cipher suites to use in the connection to your HTTPS proxy
+when it negotiates TLS 1.3. The list of ciphers suites must specify valid
+ciphers. Read up on TLS 1.3 cipher suite details on this URL:
+
+ https://curl.haxx.se/docs/ssl-ciphers.html
+
+If this option is used several times, the last one will be used.
diff --git a/docs/cmdline-opts/tls13-ciphers.d b/docs/cmdline-opts/tls13-ciphers.d
new file mode 100644
index 000000000..add161595
--- /dev/null
+++ b/docs/cmdline-opts/tls13-ciphers.d
@@ -0,0 +1,12 @@
+Long: tls13-ciphers
+Arg: <list of TLS 1.3 ciphersuites>
+help: TLS 1.3 cipher suites to use
+Protocols: TLS
+---
+Specifies which cipher suites to use in the connection if it negotiates TLS
+1.3. The list of ciphers suites must specify valid ciphers. Read up on TLS 1.3
+cipher suite details on this URL:
+
+ https://curl.haxx.se/docs/ssl-ciphers.html
+
+If this option is used several times, the last one will be used.
diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3
index bdaf59f6c..317c7a646 100644
--- a/docs/libcurl/curl_easy_setopt.3
+++ b/docs/libcurl/curl_easy_setopt.3
@@ -548,6 +548,10 @@ Identify EGD socket for entropy. See \fICURLOPT_EGDSOCKET(3)\fP
Ciphers to use. See \fICURLOPT_SSL_CIPHER_LIST(3)\fP
.IP CURLOPT_PROXY_SSL_CIPHER_LIST
Proxy ciphers to use. See \fICURLOPT_PROXY_SSL_CIPHER_LIST(3)\fP
+.IP CURLOPT_TLS13_CIPHERS
+TLS 1.3 cipher suites to use. See \fICURLOPT_TLS13_CIPHERS(3)\fP
+.IP CURLOPT_PROXY_TLS13_CIPHERS
+Proxy TLS 1.3 cipher suites to use. See \fICURLOPT_PROXY_TLS13_CIPHERS(3)\fP
.IP CURLOPT_SSL_SESSIONID_CACHE
Disable SSL session-id cache. See \fICURLOPT_SSL_SESSIONID_CACHE(3)\fP
.IP CURLOPT_SSL_OPTIONS
diff --git a/docs/libcurl/opts/CURLOPT_PROXY_TLS13_CIPHERS.3 b/docs/libcurl/opts/CURLOPT_PROXY_TLS13_CIPHERS.3
new file mode 100644
index 000000000..372bdeb38
--- /dev/null
+++ b/docs/libcurl/opts/CURLOPT_PROXY_TLS13_CIPHERS.3
@@ -0,0 +1,63 @@
+.\" **************************************************************************
+.\" * _ _ ____ _
+.\" * Project ___| | | | _ \| |
+.\" * / __| | | | |_) | |
+.\" * | (__| |_| | _ <| |___
+.\" * \___|\___/|_| \_\_____|
+.\" *
+.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" *
+.\" * This software is licensed as described in the file COPYING, which
+.\" * you should have received as part of this distribution. The terms
+.\" * are also available at https://curl.haxx.se/docs/copyright.html.
+.\" *
+.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+.\" * copies of the Software, and permit persons to whom the Software is
+.\" * furnished to do so, under the terms of the COPYING file.
+.\" *
+.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+.\" * KIND, either express or implied.
+.\" *
+.\" **************************************************************************
+.\"
+.TH CURLOPT_PROXY_TLS13_CIPHERS 3 "25 May 2018" "libcurl 7.61.0" "curl_easy_setopt options"
+.SH NAME
+CURLOPT_PROXY_TLS13_CIPHERS \- ciphers suites for proxy TLS 1.3
+.SH SYNOPSIS
+#include <curl/curl.h>
+
+CURLcode curl_easy_setopt(CURL *handle, CURLOPT_PROXY_TLS13_CIPHERS, char *list);
+.SH DESCRIPTION
+Pass a char *, pointing to a zero terminated string holding the list of cipher
+suites to use for the TLS 1.3 connection to a proxy. The list must be
+syntactically correct, it consists of one or more cipher suite strings
+separated by colons.
+
+You'll find more details about cipher lists on this URL:
+
+ https://curl.haxx.se/docs/ssl-ciphers.html
+
+The application does not have to keep the string around after setting this
+option.
+.SH DEFAULT
+NULL, use internal default
+.SH PROTOCOLS
+All TLS based protocols: HTTPS, FTPS, IMAPS, POP3S, SMTPS etc.
+.SH EXAMPLE
+.nf
+CURL *curl = curl_easy_init();
+if(curl) {
+ curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/");
+ curl_easy_setopt(curl, CURLOPT_PROXY_TLS13_CIPHERS,
+ "TLS13-CHACHA20-POLY1305-SHA256");
+ ret = curl_easy_perform(curl);
+ curl_easy_cleanup(curl);
+}
+.fi
+.SH AVAILABILITY
+Added in 7.61.0.
+Available when built with OpenSSL >= 1.1.1.
+.SH RETURN VALUE
+Returns CURLE_OK if supported, CURLE_NOT_BUILT_IN otherwise.
+.SH "SEE ALSO"
+.BR CURLOPT_SSLVERSION "(3), " CURLOPT_TLS13_CIPHERS "(3), "
diff --git a/docs/libcurl/opts/CURLOPT_TLS13_CIPHERS.3 b/docs/libcurl/opts/CURLOPT_TLS13_CIPHERS.3
new file mode 100644
index 000000000..85400780c
--- /dev/null
+++ b/docs/libcurl/opts/CURLOPT_TLS13_CIPHERS.3
@@ -0,0 +1,62 @@
+.\" **************************************************************************
+.\" * _ _ ____ _
+.\" * Project ___| | | | _ \| |
+.\" * / __| | | | |_) | |
+.\" * | (__| |_| | _ <| |___
+.\" * \___|\___/|_| \_\_____|
+.\" *
+.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" *
+.\" * This software is licensed as described in the file COPYING, which
+.\" * you should have received as part of this distribution. The terms
+.\" * are also available at https://curl.haxx.se/docs/copyright.html.
+.\" *
+.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+.\" * copies of the Software, and permit persons to whom the Software is
+.\" * furnished to do so, under the terms of the COPYING file.
+.\" *
+.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+.\" * KIND, either express or implied.
+.\" *
+.\" **************************************************************************
+.\"
+.TH CURLOPT_TLS13_CIPHERS 3 "25 May 2018" "libcurl 7.61.0" "curl_easy_setopt options"
+.SH NAME
+CURLOPT_TLS13_CIPHERS \- specify ciphers suites to use for TLS 1.3
+.SH SYNOPSIS
+#include <curl/curl.h>
+
+CURLcode curl_easy_setopt(CURL *handle, CURLOPT_TLS13_CIPHERS, char *list);
+.SH DESCRIPTION
+Pass a char *, pointing to a zero terminated string holding the list of cipher
+suites to use for the TLS 1.3 connection. The list must be syntactically
+correct, it consists of one or more cipher suite strings separated by colons.
+
+You'll find more details about cipher lists on this URL:
+
+ https://curl.haxx.se/docs/ssl-ciphers.html
+
+The application does not have to keep the string around after setting this
+option.
+.SH DEFAULT
+NULL, use internal default
+.SH PROTOCOLS
+All TLS based protocols: HTTPS, FTPS, IMAPS, POP3S, SMTPS etc.
+.SH EXAMPLE
+.nf
+CURL *curl = curl_easy_init();
+if(curl) {
+ curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/");
+ curl_easy_setopt(curl, CURLOPT_TLS13_CIPHERS,
+ "TLS13-CHACHA20-POLY1305-SHA256");
+ ret = curl_easy_perform(curl);
+ curl_easy_cleanup(curl);
+}
+.fi
+.SH AVAILABILITY
+Added in 7.61.0.
+Available when built with OpenSSL >= 1.1.1.
+.SH RETURN VALUE
+Returns CURLE_OK if supported, CURLE_NOT_BUILT_IN otherwise.
+.SH "SEE ALSO"
+.BR CURLOPT_SSLVERSION "(3), " CURLOPT_PROXY_TLS13_CIPHERS "(3), "
diff --git a/docs/libcurl/opts/Makefile.inc b/docs/libcurl/opts/Makefile.inc
index 74a76a7dd..5db8b8f3e 100644
--- a/docs/libcurl/opts/Makefile.inc
+++ b/docs/libcurl/opts/Makefile.inc
@@ -237,6 +237,7 @@ man_MANS = \
CURLOPT_PROXY_SSL_OPTIONS.3 \
CURLOPT_PROXY_SSL_VERIFYHOST.3 \
CURLOPT_PROXY_SSL_VERIFYPEER.3 \
+ CURLOPT_PROXY_TLS13_CIPHERS.3 \
CURLOPT_PROXY_TLSAUTH_PASSWORD.3 \
CURLOPT_PROXY_TLSAUTH_TYPE.3 \
CURLOPT_PROXY_TLSAUTH_USERNAME.3 \
@@ -315,6 +316,7 @@ man_MANS = \
CURLOPT_TIMEOUT_MS.3 \
CURLOPT_TIMEVALUE.3 \
CURLOPT_TIMEVALUE_LARGE.3 \
+ CURLOPT_TLS13_CIPHERS.3 \
CURLOPT_TLSAUTH_PASSWORD.3 \
CURLOPT_TLSAUTH_TYPE.3 \
CURLOPT_TLSAUTH_USERNAME.3 \
diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
index f3ad33510..4b6e74346 100644
--- a/docs/libcurl/symbols-in-versions
+++ b/docs/libcurl/symbols-in-versions
@@ -101,8 +101,8 @@ CURLE_PEER_FAILED_VERIFICATION 7.17.1
CURLE_QUOTE_ERROR 7.17.0
CURLE_RANGE_ERROR 7.17.0
CURLE_READ_ERROR 7.1
-CURLE_RECV_ERROR 7.10
CURLE_RECURSIVE_API_CALL 7.59.0
+CURLE_RECV_ERROR 7.10
CURLE_REMOTE_ACCESS_DENIED 7.17.0
CURLE_REMOTE_DISK_FULL 7.17.0
CURLE_REMOTE_FILE_EXISTS 7.17.0
@@ -514,6 +514,7 @@ CURLOPT_PROXY_SSL_CIPHER_LIST 7.52.0
CURLOPT_PROXY_SSL_OPTIONS 7.52.0
CURLOPT_PROXY_SSL_VERIFYHOST 7.52.0
CURLOPT_PROXY_SSL_VERIFYPEER 7.52.0
+CURLOPT_PROXY_TLS13_CIPHERS 7.61.0
CURLOPT_PROXY_TLSAUTH_PASSWORD 7.52.0
CURLOPT_PROXY_TLSAUTH_TYPE 7.52.0
CURLOPT_PROXY_TLSAUTH_USERNAME 7.52.0
@@ -528,6 +529,8 @@ CURLOPT_REDIR_PROTOCOLS 7.19.4
CURLOPT_REFERER 7.1
CURLOPT_REQUEST_TARGET 7.55.0
CURLOPT_RESOLVE 7.21.3
+CURLOPT_RESOLVER_START_DATA 7.59.0
+CURLOPT_RESOLVER_START_FUNCTION 7.59.0
CURLOPT_RESUME_FROM 7.1
CURLOPT_RESUME_FROM_LARGE 7.11.0
CURLOPT_RTSPHEADER 7.20.0
@@ -602,13 +605,12 @@ CURLOPT_TIMEOUT 7.1
CURLOPT_TIMEOUT_MS 7.16.2
CURLOPT_TIMEVALUE 7.1
CURLOPT_TIMEVALUE_LARGE 7.59.0
+CURLOPT_TLS13_CIPHERS 7.61.0
CURLOPT_TLSAUTH_PASSWORD 7.21.4
CURLOPT_TLSAUTH_TYPE 7.21.4
CURLOPT_TLSAUTH_USERNAME 7.21.4
CURLOPT_TRANSFERTEXT 7.1.1
CURLOPT_TRANSFER_ENCODING 7.21.6
-CURLOPT_RESOLVER_START_FUNCTION 7.59.0
-CURLOPT_RESOLVER_START_DATA 7.59.0
CURLOPT_UNIX_SOCKET_PATH 7.40.0
CURLOPT_UNRESTRICTED_AUTH 7.10.4
CURLOPT_UPLOAD 7.1
diff --git a/include/curl/curl.h b/include/curl/curl.h
index b7f75da75..034c6da7e 100644
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@@ -1849,6 +1849,10 @@ typedef enum {
/* shuffle addresses before use when DNS returns multiple */
CINIT(DNS_SHUFFLE_ADDRESSES, LONG, 275),
+ /* Specify which TLS 1.3 ciphers suites to use */
+ CINIT(TLS13_CIPHERS, STRINGPOINT, 276),
+ CINIT(PROXY_TLS13_CIPHERS, STRINGPOINT, 277),
+
CURLOPT_LASTENTRY /* the last unused */
} CURLoption;
diff --git a/lib/setopt.c b/lib/setopt.c
index c1f6bd97e..93a4dd2b5 100644
--- a/lib/setopt.c
+++ b/lib/setopt.c
@@ -142,6 +142,25 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
va_arg(param, char *));
break;
+ case CURLOPT_TLS13_CIPHERS:
+ if(Curl_ssl_tls13_ciphersuites()) {
+ /* set preferred list of TLS 1.3 cipher suites */
+ result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER13_LIST_ORIG],
+ va_arg(param, char *));
+ }
+ else
+ return CURLE_NOT_BUILT_IN;
+ break;
+ case CURLOPT_PROXY_TLS13_CIPHERS:
+ if(Curl_ssl_tls13_ciphersuites()) {
+ /* set preferred list of TLS 1.3 cipher suites for proxy */
+ result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER13_LIST_PROXY],
+ va_arg(param, char *));
+ }
+ else
+ return CURLE_NOT_BUILT_IN;
+ break;
+
case CURLOPT_RANDOM_FILE:
/*
* This is the path name to a file that contains random data to seed
diff --git a/lib/urldata.h b/lib/urldata.h
index 9a821aa5a..f1b67c3d1 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -227,6 +227,7 @@ struct ssl_primary_config {
char *random_file; /* path to file containing "random" data */
char *egdsocket; /* path to file containing the EGD daemon socket */
char *cipher_list; /* list of ciphers to use */
+ char *cipher_list13; /* list of TLS 1.3 cipher suites to use */
};
struct ssl_config_data {
@@ -1401,6 +1402,8 @@ enum dupstring {
STRING_SSL_PINNEDPUBLICKEY_PROXY, /* public key file to verify proxy */
STRING_SSL_CIPHER_LIST_ORIG, /* list of ciphers to use */
STRING_SSL_CIPHER_LIST_PROXY, /* list of ciphers to use */
+ STRING_SSL_CIPHER13_LIST_ORIG, /* list of TLS 1.3 ciphers to use */
+ STRING_SSL_CIPHER13_LIST_PROXY, /* list of TLS 1.3 ciphers to use */
STRING_SSL_EGDSOCKET, /* path to file containing the EGD daemon socket */
STRING_SSL_RANDOM_FILE, /* path to file containing "random" data */
STRING_USERAGENT, /* User-Agent string */
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index a7bbdb2fd..4a5f37060 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -166,6 +166,17 @@ static unsigned long OpenSSL_version_num(void)
#define HAVE_KEYLOG_CALLBACK
#endif
+/* Whether SSL_CTX_set_ciphersuites is available.
+ * OpenSSL: supported since 1.1.1 (commit a53b5be6a05)
+ * BoringSSL: no
+ * LibreSSL: no
+ */
+#if ((OPENSSL_VERSION_NUMBER >= 0x10101000L) && \
+ !defined(LIBRESSL_VERSION_NUMBER) && \
+ !defined(OPENSSL_IS_BORINGSSL))
+#define HAVE_SSL_CTX_SET_CIPHERSUITES
+#endif
+
#if defined(LIBRESSL_VERSION_NUMBER)
#define OSSL_PACKAGE "LibreSSL"
#elif defined(OPENSSL_IS_BORINGSSL)
@@ -2413,6 +2424,19 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
infof(data, "Cipher selection: %s\n", ciphers);
}
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
+ {
+ char *ciphers13 = SSL_CONN_CONFIG(cipher_list13);
+ if(ciphers13) {
+ if(!SSL_CTX_set_ciphersuites(BACKEND->ctx, ciphers13)) {
+ failf(data, "failed setting TLS 1.3 cipher suite: %s", ciphers);
+ return CURLE_SSL_CIPHER;
+ }
+ infof(data, "TLS 1.3 cipher selection: %s\n", ciphers13);
+ }
+ }
+#endif
+
#ifdef USE_TLS_SRP
if(ssl_authtype == CURL_TLSAUTH_SRP) {
char * const ssl_username = SSL_SET_OPTION(username);
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
index ee5bc7a0a..bf96518bc 100644
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@@ -980,6 +980,14 @@ bool Curl_ssl_false_start(void)
}
/*
+ * Check whether the SSL backend supports setting TLS 1.3 cipher suites
+ */
+bool Curl_ssl_tls13_ciphersuites(void)
+{
+ return Curl_ssl->supports & SSLSUPP_TLS13_CIPHERSUITES;
+}
+
+/*
* Default implementations for unsupported functions.
*/
diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h
index e7b87c4d3..40f9d7479 100644
--- a/lib/vtls/vtls.h
+++ b/lib/vtls/vtls.h
@@ -31,6 +31,7 @@ struct ssl_connect_data;
#define SSLSUPP_PINNEDPUBKEY (1<<2) /* supports CURLOPT_PINNEDPUBLICKEY */
#define SSLSUPP_SSL_CTX (1<<3) /* supports CURLOPT_SSL_CTX */
#define SSLSUPP_HTTPS_PROXY (1<<4) /* supports access via HTTPS proxies */
+#define SSLSUPP_TLS13_CIPHERSUITES (1<<5) /* supports TLS 1.3 ciphersuites */
struct Curl_ssl {
/*
@@ -93,6 +94,7 @@ CURLcode Curl_none_set_engine(struct Curl_easy *data, const char *engine);
CURLcode Curl_none_set_engine_default(struct Curl_easy *data);
struct curl_slist *Curl_none_engines_list(struct Curl_easy *data);
bool Curl_none_false_start(void);
+bool Curl_ssl_tls13_ciphersuites(void);
CURLcode Curl_none_md5sum(unsigned char *input, size_t inputlen,
unsigned char *md5sum, size_t md5len);
@@ -246,7 +248,7 @@ bool Curl_ssl_false_start(void);
#define SSL_SHUTDOWN_TIMEOUT 10000 /* ms */
-#else
+#else /* if not USE_SSL */
/* When SSL support is not present, just define away these function calls */
#define Curl_ssl_init() 1
@@ -270,6 +272,7 @@ bool Curl_ssl_false_start(void);
#define Curl_ssl_random(x,y,z) ((void)x, CURLE_NOT_BUILT_IN)
#define Curl_ssl_cert_status_request() FALSE
#define Curl_ssl_false_start() FALSE
+#define Curl_ssl_tls13_ciphersuites() FALSE
#endif
#endif /* HEADER_CURL_VTLS_H */
diff --git a/src/tool_cfgable.h b/src/tool_cfgable.h
index 9d995f85e..237c2bd7f 100644
--- a/src/tool_cfgable.h
+++ b/src/tool_cfgable.h
@@ -117,6 +117,8 @@ struct OperationConfig {
struct getout *url_ul; /* point to the node to fill in upload */
char *cipher_list;
char *proxy_cipher_list;
+ char *cipher13_list;
+ char *proxy_cipher13_list;
char *cert;
char *proxy_cert;
char *cert_type;
diff --git a/src/tool_getparam.c b/src/tool_getparam.c
index e83373c37..a9f448112 100644
--- a/src/tool_getparam.c
+++ b/src/tool_getparam.c
@@ -201,6 +201,8 @@ static const struct LongShort aliases[]= {
{"11", "tlsv1.1", ARG_NONE},
{"12", "tlsv1.2", ARG_NONE},
{"13", "tlsv1.3", ARG_NONE},
+ {"1A", "tls13-ciphers", ARG_STRING},
+ {"1B", "proxy-tls13-ciphers", ARG_STRING},
{"2", "sslv2", ARG_NONE},
{"3", "sslv3", ARG_NONE},
{"4", "ipv4", ARG_NONE},
@@ -1177,6 +1179,12 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
/* TLS version 1.3 */
config->ssl_version = CURL_SSLVERSION_TLSv1_3;
break;
+ case 'A': /* --tls13-ciphers */
+ GetStr(&config->cipher13_list, nextarg);
+ break;
+ case 'B': /* --proxy-tls13-ciphers */
+ GetStr(&config->proxy_cipher13_list, nextarg);
+ break;
}
break;
case '2':
diff --git a/src/tool_help.c b/src/tool_help.c
index 7c4dda3b0..3218cf67d 100644
--- a/src/tool_help.c
+++ b/src/tool_help.c
@@ -160,12 +160,12 @@ static const struct helptxt helptext[] = {
"Put the post data in the URL and use GET"},
{"-g, --globoff",
"Disable URL sequences and ranges using {} and []"},
- {" --happy-eyeballs-timeout-ms",
+ {" --happy-eyeballs-timeout-ms <milliseconds>",
"How long to wait in milliseconds for IPv6 before trying IPv4"},
- {"-I, --head",
- "Show document info only"},
{" --haproxy-protocol",
"Send HAProxy PROXY protocol v1 header"},
+ {"-I, --head",
+ "Show document info only"},
{"-H, --header <header/@file>",
"Pass custom header(s) to server"},
{"-h, --help",
@@ -297,7 +297,7 @@ static const struct helptxt helptext[] = {
{" --proxy-cert <cert[:passwd]>",
"Set client certificate for proxy"},
{" --proxy-cert-type <type>",
- "Client certificate type for HTTS proxy"},
+ "Client certificate type for HTTPS proxy"},
{" --proxy-ciphers <list>",
"SSL ciphers to use for proxy"},
{" --proxy-crlfile <file>",
@@ -324,6 +324,8 @@ static const struct helptxt helptext[] = {
"SPNEGO proxy service name"},
{" --proxy-ssl-allow-beast",
"Allow security flaw for interop for HTTPS proxy"},
+ {" --proxy-tls13-ciphers <ciphersuite list>",
+ "TLS 1.3 proxy cipher suites"},
{" --proxy-tlsauthtype <type>",
"TLS authentication type for HTTPS proxy"},
{" --proxy-tlspassword <string>",
@@ -337,7 +339,7 @@ static const struct helptxt helptext[] = {
{" --proxy1.0 <host[:port]>",
"Use HTTP/1.0 proxy on given port"},
{"-p, --proxytunnel",
- "Operate through a HTTP proxy tunnel (using CONNECT)"},
+ "Operate through an HTTP proxy tunnel (using CONNECT)"},
{" --pubkey <key>",
"SSH Public key file name"},
{"-Q, --quote",
@@ -362,7 +364,7 @@ static const struct helptxt helptext[] = {
"Specify request command to use"},
{" --request-target",
"Specify the target for this request"},
- {" --resolve <host:port:address>",
+ {" --resolve <host:port:address[,address]...>",
"Resolve the host+port to this address"},
{" --retry <num>",
"Retry request if transient problems occur"},
@@ -432,6 +434,8 @@ static const struct helptxt helptext[] = {
"Transfer based on a time condition"},
{" --tls-max <VERSION>",
"Use TLSv1.0 or greater"},
+ {" --tls13-ciphers <list of TLS 1.3 ciphersuites>",
+ "TLS 1.3 cipher suites to use"},
{" --tlsauthtype <type>",
"TLS authentication type"},
{" --tlspassword",
diff --git a/src/tool_operate.c b/src/tool_operate.c
index 5be862228..0a1b1a48d 100644
--- a/src/tool_operate.c
+++ b/src/tool_operate.c
@@ -1216,6 +1216,13 @@ static CURLcode operate_do(struct GlobalConfig *global,
my_setopt_str(curl, CURLOPT_PROXY_SSL_CIPHER_LIST,
config->proxy_cipher_list);
+ if(config->cipher13_list)
+ my_setopt_str(curl, CURLOPT_TLS13_CIPHERS, config->cipher13_list);
+
+ if(config->proxy_cipher13_list)
+ my_setopt_str(curl, CURLOPT_PROXY_SSL_CIPHER_LIST,
+ config->proxy_cipher13_list);
+
/* new in libcurl 7.9.2: */
if(config->disable_epsv)
/* disable it */