diff options
author | Wyatt O'Day <wyatt@wyday.com> | 2022-07-22 10:45:28 -0400 |
---|---|---|
committer | Jay Satiro <raysatiro@yahoo.com> | 2022-08-02 13:54:31 -0400 |
commit | 8beff4355956e3d18ceb3afc21c1f3edec82543c (patch) | |
tree | a3b88841c8d8ce2928eef3bd46433e74adf145da /docs | |
parent | 92179353e5cac4cfb294a1fdcbdbf5d682fc40a1 (diff) | |
download | curl-8beff4355956e3d18ceb3afc21c1f3edec82543c.tar.gz |
schannel: Add TLS 1.3 support
- Support TLS 1.3 as the default max TLS version for Windows Server 2022
and Windows 11.
- Support specifying TLS 1.3 ciphers via existing option
CURLOPT_TLS13_CIPHERS (tool: --tls13-ciphers).
Closes https://github.com/curl/curl/pull/8419
Diffstat (limited to 'docs')
-rw-r--r-- | docs/CIPHERS.md | 13 | ||||
-rw-r--r-- | docs/libcurl/opts/CURLOPT_PROXY_TLS13_CIPHERS.3 | 2 | ||||
-rw-r--r-- | docs/libcurl/opts/CURLOPT_TLS13_CIPHERS.3 | 11 |
3 files changed, 19 insertions, 7 deletions
diff --git a/docs/CIPHERS.md b/docs/CIPHERS.md index e1df7642c..ff35ff283 100644 --- a/docs/CIPHERS.md +++ b/docs/CIPHERS.md @@ -6,7 +6,8 @@ and [`--ciphers`](https://curl.se/docs/manpage.html#--ciphers) users can control which ciphers to consider when negotiating TLS connections. -TLS 1.3 ciphers are supported since curl 7.61 for OpenSSL 1.1.1+ with options +TLS 1.3 ciphers are supported since curl 7.61 for OpenSSL 1.1.1+, and since +curl 7.85 for SChannel with options [`CURLOPT_TLS13_CIPHERS`](https://curl.se/libcurl/c/CURLOPT_TLS13_CIPHERS.html) and [`--tls13-ciphers`](https://curl.se/docs/manpage.html#--tls13-ciphers) @@ -521,6 +522,16 @@ documentation](https://docs.microsoft.com/en-us/windows/win32/secauthn/tls-ciphe Note that the supported ciphers in this case follow the OS version, so if you are running an outdated OS you might still be supporting weak ciphers. +### TLS 1.3 cipher suites + +(Note these ciphers are set with `CURLOPT_TLS13_CIPHERS` and `--tls13-ciphers`) + +`TLS_AES_256_GCM_SHA384` +`TLS_AES_128_GCM_SHA256` +`TLS_CHACHA20_POLY1305_SHA256` +`TLS_AES_128_CCM_8_SHA256` +`TLS_AES_128_CCM_SHA256` + ## BearSSL BearSSL ciphers can be specified by either the OpenSSL name (`ECDHE-RSA-AES128-GCM-SHA256`) or the IANA name (`TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`). diff --git a/docs/libcurl/opts/CURLOPT_PROXY_TLS13_CIPHERS.3 b/docs/libcurl/opts/CURLOPT_PROXY_TLS13_CIPHERS.3 index fc41b0d11..5835d3413 100644 --- a/docs/libcurl/opts/CURLOPT_PROXY_TLS13_CIPHERS.3 +++ b/docs/libcurl/opts/CURLOPT_PROXY_TLS13_CIPHERS.3 @@ -58,7 +58,7 @@ CURL *curl = curl_easy_init(); if(curl) { curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/"); curl_easy_setopt(curl, CURLOPT_PROXY_TLS13_CIPHERS, - "TLS13-CHACHA20-POLY1305-SHA256"); + "TLS_CHACHA20_POLY1305_SHA256"); ret = curl_easy_perform(curl); curl_easy_cleanup(curl); } diff --git a/docs/libcurl/opts/CURLOPT_TLS13_CIPHERS.3 b/docs/libcurl/opts/CURLOPT_TLS13_CIPHERS.3 index 2349d4e17..5521a1ebb 100644 --- a/docs/libcurl/opts/CURLOPT_TLS13_CIPHERS.3 +++ b/docs/libcurl/opts/CURLOPT_TLS13_CIPHERS.3 @@ -41,8 +41,8 @@ you will find more details about cipher lists on this URL: https://curl.se/docs/ssl-ciphers.html This option is currently used only when curl is built to use OpenSSL 1.1.1 or -later. If you are using a different SSL backend you can try setting TLS 1.3 -cipher suites by using the CURLOPT_SSL_CIPHER_LIST option. +later or SChannel. If you are using a different SSL backend you can try +setting TLS 1.3 cipher suites by using the CURLOPT_SSL_CIPHER_LIST option. The application does not have to keep the string around after setting this option. @@ -56,14 +56,15 @@ CURL *curl = curl_easy_init(); if(curl) { curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/"); curl_easy_setopt(curl, CURLOPT_TLS13_CIPHERS, - "TLS13-CHACHA20-POLY1305-SHA256"); + "TLS_CHACHA20_POLY1305_SHA256"); ret = curl_easy_perform(curl); curl_easy_cleanup(curl); } .fi .SH AVAILABILITY -Added in 7.61.0. -Available when built with OpenSSL >= 1.1.1. +Added in 7.61.0 for OpenSSL. Available when built with OpenSSL >= 1.1.1. + +Added in 7.85.0 for SChannel. .SH RETURN VALUE Returns CURLE_OK if supported, CURLE_NOT_BUILT_IN otherwise. .SH "SEE ALSO" |