future support for mbedTLS' TLS 1.3? #12876
Replies: 3 comments 7 replies
-
Based on your branch I created my own version. Check if it works, I only tested with HTTP connection version 1.1. The problem here is returning an "error" that is not an error.... -0x7B00 is MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET, which occurs when curl waits for application data but gets NewSessionTicket instead. Based on the example from ssl_client2.c, this is a signal for the application to save the new ticket and then continue receiving application data. This is a surprising behavior because curl uses the MBEDTLS_SSL_SESSION_TICKETS_DISABLED option, so why does the NewSessionTicket appear? I'm not sure yet if this is ready to be published in the official branch. I'll still ask the developers of mbedtls for a comment. Anyway if you find the time let me know if my changes work in your case. |
Beta Was this translation helpful? Give feedback.
-
I have wrote a message to mbedtls. Let's see what they reply. |
Beta Was this translation helpful? Give feedback.
-
I think this topic can be marked as answered :) |
Beta Was this translation helpful? Give feedback.
-
Hey there, I wanted to leave some notes somewhere for others that might attempt to use TLS 1.3 with mbedTLS as backend as currently it is not supported and I haven't found any notes in the docs. Apologies in advance if this is not the right area - please let me know and I will move this elsewhere.
At the moment, mbedTLS has a partial implementation of TLS 1.3 which started in mbedTLS 3.1.0.
As far as the cURL CLI goes, at the moment TLS 1.3 is not allowed when using mbedTLS as the backend. Furthermore, TLS 1.3, at the time of writing, has to be enabled through
MBEDTLS_SSL_PROTO_TLS1_3
when building mbedTLS (could usescripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3
).At first glance, the changes in cURL to have mbedTLS use TLS 1.3 are using
MBEDTLS_SSL_MINOR_VERSION_4
for*mbedver
ifMBEDTLS_VERSION_NUMBER >= 0x03010000
and callpsa_crypto_init()
before any handshake, I've added those changes to my branch if anybody is interested.When testing with
https://google.com
I am assuming the handshake is successful, but it breaks (Failed receiving HTTP2 data: 56(Failure when receiving data from the peer)
, using nghttp2) after the first HTTP2 GET request over TLS. Last logs from mbedTLS before breaking are:I am assuming some issues relating to sessions tickets?
I've tested this with mbedTLS
3.5.2
and cURL8.5.0
and nghttp21.52.0
(currently upgrading everything on our end).Edit:
Sorry if this might become a duplicate of #10587 as I initially searched for "TLS 1.3" but only found it later when searching for "TLS1.3"...
Beta Was this translation helpful? Give feedback.
All reactions