Post · Kakapo Social

if you are not happy on your FIPS system with modern #curl treatment of TLSv1.3, why not simply refrain from using curl?

Or take an older version and maintain it yourself.💁🏻‍♂️

https://github.com/curl/curl/pull/19342

GitHub

openssl: respect system crypto policy for TLS max version by jacekmigacz · Pull Request #19342 · curl/curl

When no explicit --tls-max option is provided, curl should respect OpenSSL's system-wide crypto policy configuration instead of overriding it. Previously, curl called SSL_CTX_set_max_proto_vers...

Clemens

@neverpanic@chaos.social replied · yesterday

@icing There are also (corporate) users out there that configure their system defaults to TLS 1.2 with RSA key exchange only, because they can inspect that on their middle boxes. We all agree it's a stupid config, but it does happen. curl overwrites this, this PR would make those people happy. Common Criteria isn't the only reason for such a choice.

Stefan Eissing

@icing@chaos.social replied · yesterday

@neverpanic
We are making free software, but we do not work for free.

If a profit seeking entity has special needs, we are happy to talk to them about a support contract. Or they take our code and adapt/maintain it themselves.

Clemens

@neverpanic@chaos.social replied · 15 hours ago

@icing I don't think this change will have big maintenance costs, and the development work for it is already done (or you're free to ask for changes), so I have a hard time understanding the value proposition of a support contract for that - that being said, I'm not the person deciding that and I don't maintain curl in RHEL or Fedora. I'm guessing the person that does will just carry this downstream if you reject it.

In the end, it's your project. You're free to close the PR.

Clemens

@neverpanic@chaos.social replied · 15 hours ago

@icing I also don't think it's fair to represent my employer as being a leech on curl, as evident by the 289 merged commits from Red Hat email addresses.

Stefan Eissing

@icing@chaos.social replied · 15 hours ago

@neverpanic I have no idea what you are talking about. I certainly never said such a thing.

Paul ‮etnomailgaT

@paul@soylent.green replied · 2 days ago

@bagder @icing I don't usually get baited into replying but I couldn't help myself; this shit is so tedious

Marcus Müller

@funkylab@mastodon.social replied · 2 days ago

@icing Ignoring the "Common Criteria" thing, the core thing that the PR intends to address seems to be:
- setting for library used by curl is configurable in a system-wide config file
- library uses said setting by default, following user intent, by default
- curl changes behaviour of library to not follow that user intent

And if I phrase it like that (and ignore the whole certifications theather, ugh.), the code change reads a lot more reasonable, no?

Neil Madden

@neilmadden@infosec.exchange replied · 2 days ago

@icing good grief. Did they somehow miss the common criteria bug tracker? That TLS policy is so outdated as to be negligent. It says you must support RSA key exchange and CBC cipher suites and renegotiation 🤮 Their users should be grateful that curl disables this crap.

Erin 💽✨

@erincandescent@akko.erincandescent.net replied · 2 days ago

@icing what kind of fucking ridiculous security policy is banning TLS 1.3 in the year *2025*, seven years after it's release.

Certifications were a mistake.