Investigate and implement support for TLS1.3 in rustup-init.sh
#2581
Comments
|
I think we're good to go already. We use |
|
That's still opportunistic. If we want to force 1.3 we'd need to say |
|
Only if you decide that you needn't be compatible with with older clients. But that is contrary to the logic you describe in your opening post. Instead, you may want to turn this into a feature to warn users about imperfect security during their usage. |
|
Pretty sure all modern browsers will use TLS1.3, so detecting that their browser supports it won't be very predictive - although I see in OS detection is already done for some. Curl's changelog indicates tls1.3 was added in 7.52.0 - December 21 2016. A quick pkgs search indicates that a lot would be fine. Highlighting the major ones (IMHO) that would not support tls1.3: Both Cent/RHEL 6 and Ubuntu 14.04 are both in some sort of enterprisey life support mode. Ubuntu 16.04 goes enterprisey life support mode in April 2021. CentOS 7 in 2024. |
|
Sounds like @sanmai-NL is right then, perhaps we just accept that we'll opportunistically upgrade to 1.3 on almost every platform and not worry too much about the few left that @BryanQuigley identified? |
|
Cloudflare let's me see different tls version in usage - does Cloudfront? |
|
The change was done now for the initial curl command that downloads the script: rust-lang/book#3130 I didn't touch the script itself, though, because it's easier for users to fix the curl argument in the copy-pasted command line if they experience incompatibilities and report the problem before we switch the script logic and introduce a problem deep inside it which users can't work around easily. |
|
As pointed out again in rust-lang/www.rust-lang.org#1670, the curl TLS 1.2 flag already uses 1.3 if possible. I think it's ok to leave it like that unless TLS 1.2 is broken for the use case at hand which is limited to authentication of the content. |
|
@kinnison Given how this thread concluded, I think it can be closed. |
I don't think this aligns with the discussion in the rest of this thread - i.e. changing to 1.3 hurts some people (whose clients don't support 1.3 - like #3120) without benefitting others who get auto-upgraded when 1.2 is specified. The latter two PRs seem to have reached a similar conclusion. I think the first should be reverted, right? |
|
Supporting TLS 1.2 harms the persons paying for hosting due to lesser performance, and the user in their security (integrity of executable downloaded). Accepting TLS 1.2 as minimum in the user instructions entails that should the client use Internet under the control of an oppressive entity, they are then more at risk than they were before. It's a choice you may make, but given that the user issue has popped up only now, many years after TLS 1.3. support was added to curl, suggests it is an anomaly and that it is best resolved by those few users themselves. |
|
The current consensus within these issues is clearly not to break such users, including but not limited to reasoning about LTS releases. You previously said the 1.2 flag was good already due to the protocol auto-upgrading. I think nobody whose client supports 1.3 is adding server costs or compromising their security? Did you change your mind? If so, it might be good to argue that case in the latter two tickets so that things are consistent. I don’t see the upside of that approach myself. |
Whatever fronts
https://rustup.rsnow supports TLS1.3 - we should look into what it'd take to detect support in the systemcurlorwgetbinaries in order to adjustrustup-init.shto support TLS1.3Also we should see if there's any hope we can detect the TLS version used to visit https://rustup.rs/ and offer a TLS1.3 install command to copy/paste if that's possible.
The text was updated successfully, but these errors were encountered: