[Bug 1872698] Re: Curl linked against GnuTLS doesn't use TLS 1.3

Dirkjan Bussink 1872698 at bugs.launchpad.net
Sat Apr 18 06:45:27 UTC 2020 

Can confirm that the issue is indeed fixed after I updated to the latest
released version. Thanks for the quick turnaround!

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to curl in Ubuntu.
https://bugs.launchpad.net/bugs/1872698

Title:
  Curl linked against GnuTLS doesn't use TLS 1.3

Status in curl package in Ubuntu:
  Fix Released

Bug description:
  Ubuntu 20.04 ships a recent version of GnuTLS which supports TLS 1.3.
  Git uses GnuTLS for TLS through libcurl, so I had expected that it
  also uses TLS 1.3 for Git. Since early last year, I added TLS 1.3 on
  GitHub.com as announced in
  https://github.blog/changelog/2019-01-15-tls13-rollout/.

  Testing shows it's not used though:

  dirkjan at x:~/curl$ cat /etc/os-release 
  NAME="Ubuntu"
  VERSION="20.04 LTS (Focal Fossa)"
  ID=ubuntu
  ID_LIKE=debian
  PRETTY_NAME="Ubuntu Focal Fossa (development branch)"
  VERSION_ID="20.04"
  HOME_URL="https://www.ubuntu.com/"
  SUPPORT_URL="https://help.ubuntu.com/"
  BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
  PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
  VERSION_CODENAME=focal
  UBUNTU_CODENAME=focal
  dirkjan at x:~$ GIT_CURL_VERBOSE=1 git ls-remote https://github.com/torvalds/linux.git
  * Couldn't find host github.com in the .netrc file; using defaults
  *   Trying 192.30.255.113:443...
  * TCP_NODELAY set
  * Connected to github.com (192.30.255.113) port 443 (#0)
  * found 384 certificates in /etc/ssl/certs
  * ALPN, offering h2
  * ALPN, offering http/1.1
  * SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
  * 	 server certificate verification OK
  * 	 server certificate status verification SKIPPED
  * 	 common name: github.com (matched)
  * 	 server certificate expiration date OK
  * 	 server certificate activation date OK
  * 	 certificate public key: RSA
  * 	 certificate version: #3
  * 	 subject: businessCategory=Private Organization,jurisdictionOfIncorporationCountryName=US,jurisdictionOfIncorporationStateOrProvinceName=Delaware,serialNumber=5157550,C=US,ST=California,L=San Francisco,O=GitHub\, Inc.,CN=github.com
  * 	 start date: Tue, 08 May 2018 00:00:00 GMT
  * 	 expire date: Wed, 03 Jun 2020 12:00:00 GMT
  * 	 issuer: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 Extended Validation Server CA
  * ALPN, server accepted to use http/1.1
  > GET /torvalds/linux.git/info/refs?service=git-upload-pack HTTP/1.1
  Host: github.com
  User-Agent: git/2.25.1
  Accept: */*
  Accept-Encoding: deflate, gzip, br
  Accept-Language: en-US, *;q=0.9
  Pragma: no-cache

  * Mark bundle as not supporting multiuse
  < HTTP/1.1 200 OK
  < Server: GitHub Babel 2.0
  < Content-Type: application/x-git-upload-pack-advertisement
  < Transfer-Encoding: chunked
  < Expires: Fri, 01 Jan 1980 00:00:00 GMT
  < Pragma: no-cache
  < Cache-Control: no-cache, max-age=0, must-revalidate
  < Vary: Accept-Encoding
  < X-GitHub-Request-Id: E01C:5AF3:3377B9:45B65F:5E959D1B
  < X-Frame-Options: DENY

  As can be seen here with the "* SSL connection using TLS1.2 /
  ECDHE_RSA_AES_128_GCM_SHA256" bit, only TLS 1.2 is used.

  After further investigation, I found the problem in Curl, and
  submitted a fix: https://github.com/curl/curl/pull/5223. The fix was
  merged & I also manually tested this by patching the version of Curl
  shipping with 20.04 and testing there:

  dirkjan at x:~/curl$ ./src/curl --version
  curl 7.68.0-DEV (x86_64-pc-linux-gnu) libcurl/7.68.0-DEV GnuTLS/3.6.13 zlib/1.2.11 brotli/1.0.7 libidn2/2.2.0 libpsl/0.21.0 (+libidn2/2.2.0) libssh/0.9.3/openssl/zlib nghttp2/1.40.0 librtmp/2.3
  Release-Date: [unreleased]
  dirkjan at x:~/curl$ ./src/curl -v https://github.com > /dev/null
    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
    0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 140.82.118.3:443...
  * TCP_NODELAY set
  * Connected to github.com (140.82.118.3) port 443 (#0)
  * found 128 certificates in /etc/ssl/certs/ca-certificates.crt
  * ALPN, offering h2
  * ALPN, offering http/1.1
  * SSL connection using TLS1.3 / ECDHE_RSA_AES_128_GCM_SHA256
  * 	 server certificate verification OK
  * 	 server certificate status verification SKIPPED
  * 	 common name: github.com (matched)
  * 	 server certificate expiration date OK
  * 	 server certificate activation date OK
  * 	 certificate public key: RSA
  * 	 certificate version: #3
  * 	 subject: businessCategory=Private Organization,jurisdictionOfIncorporationCountryName=US,jurisdictionOfIncorporationStateOrProvinceName=Delaware,serialNumber=5157550,C=US,ST=California,L=San Francisco,O=GitHub\, Inc.,CN=github.com
  * 	 start date: Tue, 08 May 2018 00:00:00 GMT
  * 	 expire date: Wed, 03 Jun 2020 12:00:00 GMT
  * 	 issuer: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 Extended Validation Server CA
  * ALPN, server accepted to use http/1.1
  > GET / HTTP/1.1
  > Host: github.com
  > User-Agent: curl/7.68.0-DEV
  > Accept: */*
  > 
  * Mark bundle as not supporting multiuse
  < HTTP/1.1 200 OK
  < date: Tue, 14 Apr 2020 11:42:39 GMT
  < content-type: text/html; charset=utf-8

  
  My question here is if you all are willing to consider including the patch I sent to curl to also be applied to curl in 20.04. I don't think it has any immediate urgency before the upcoming 20.04 release, but including this fix would be a huge help, not only for us at GitHub.com but also all other Git hosting sites. Git is a significant user of curl with GnuTLS, but also all other users are affected there as well. 

  Why is this helpful for Git hosting sites you might ask? The world of
  TLS is ever evolving, and even today we see a practical example where
  Git on 14.04 is a limiting factor in making improvements to
  GitHub.com's TLS setup. The older linked GnuTLS used with libcurl in
  14.04 doesn't support ECDHE ciphers, so enforcing only ciphers with
  forward secrecy is affected by the still large usage of 14.04.

  We would love to not have a similar problem in the future in a few
  years if it turns out TLS 1.2 needs to be deprecated and everyone
  needs to switch to TLS 1.3. By reporting this now I hope that within
  the 20.04 lifetime, TLS 1.3 can be used for Git as well.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/curl/+bug/1872698/+subscriptions

More information about the foundations-bugs mailing list