Use TLSv1.3 with curl if specified at all #2996
Conversation
|
Related, can someone point me at the repo for the website source code? The 1.2 option is used there, too: https://rustup.rs/ Edit: Found more places: https://github.com/search?q=org:rust-lang+rustup+tlsv1.2&type=code |
The curl option specified to use TLSv1.2 explicity while nowadays 1.3 is availalble and recommended. Switch to specifying 1.3 instead of 1.2 for the command that downloads the install script. The rustup-init.sh script itself it left with the ciphersuite selection plus 1.2 and fallbacks as is.
|
I didn't touch the logic for ciphersuite selection with 1.2 and the fallbacks. Should we create an issue for that? Edit: No, it already exists: #2581 |
|
What are the compatibility implications of this? My understanding is that the reason we specify the tls parameter is defence-in-depth to prevent down grade attacks, but we do presumably want some somewhat older OSes to be able to install still? |
|
This got discussed in rust-lang/www.rust-lang.org#1670 - I'm fine with closing this if it shouldn't stay open for the future. |
|
Closed - we can revisit if/when tls1.3 is sufficiently widespread that we're not risking hurting people |
The curl option specified to use TLSv1.2 explicity while nowadays 1.3
is availalble and recommended.
Switch to specifying 1.3 instead of 1.2 for the command that downloads
the install script. The rustup-init.sh script itself it left with the
ciphersuite selection plus 1.2 and fallbacks as is.
See rust-lang/book#3130