ios_system
ios_system copied to clipboard
holzschu
[Request] Update curl to support TLS v1.3
Currently, ios_system's curl can't download HTTPS site's contents using TLS v1.3.
I think that you built curl 7.51.0 with --with-darwinssl flag. If so, is it possible to update curl to 7.56.1 or later?
curl with darwinssl has supported TLS v1.3 since 7.56.1.
actually curl with darwinssl isn't supporting TLS 1.3 because SecureTransport isn't supporting TLS 1.3, see https://github.com/curl/curl/issues/4524 .
so we need to build cURL with other ssl libraries, like openssl, LibreSSL, NSS, etc...
Just curious, what SSL library is the macOS default curl (/usr/bin/curl) built with? It supports TLS 1.3 at least on macOS 13.4.
It seems that macOS Ventura bundles LibreSSL 3.3.6 and it supports TLS 1.3, so the macOS' curl is probably built with it.
This issue appears to be resolved in a-Shell 1.12.2. Should I close it?
$ curl -v --tlsv1.3 --head https://1.1.1.1
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 1.1.1.1:443...
* Connected to 1.1.1.1 (1.1.1.1) port 443 (#0)
* ALPN: offers http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [225 bytes data]
* CAfile: /private/var/containers/Bundle/Application/A76E41CB-D4B6-488F-9722-1BDA7BA041A8/a-Shell.app/cacert.pem
* CApath: none
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [21 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [2598 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [79 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted http/1.1
* Server certificate:
* subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=cloudflare-dns.com
* start date: Jan 12 00:00:00 2023 GMT
* expire date: Jan 11 23:59:59 2024 GMT
* subjectAltName: host "1.1.1.1" matched cert's IP address!
* issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1
* SSL certificate verify ok.
* using HTTP/1.1
} [5 bytes data]
> HEAD / HTTP/1.1
> Host: 1.1.1.1
> User-Agent: curl/8.1.2
> Accept: */*
>
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [230 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [230 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Wed, 23 Aug 2023 18:10:12 GMT
Date: Wed, 23 Aug 2023 18:10:12 GMT
< Content-Type: text/html
Content-Type: text/html
< Connection: keep-alive
Connection: keep-alive
< Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=QtEXADrzYRTQvgUO2v7BXLzUi1rSs2eI8p1UtRDdVGCFZ3abZjYxmgT4%2B1yKHoSI%2FfNkiLAHE2H8ohadRI9rm0LA6qG0cZlNw7pIBz9udrKPUd4pI3VIyIg%3D"}],"group":"cf-nel","max_age":604800}
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=QtEXADrzYRTQvgUO2v7BXLzUi1rSs2eI8p1UtRDdVGCFZ3abZjYxmgT4%2B1yKHoSI%2FfNkiLAHE2H8ohadRI9rm0LA6qG0cZlNw7pIBz9udrKPUd4pI3VIyIg%3D"}],"group":"cf-nel","max_age":604800}
< NEL: {"report_to":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
< Last-Modified: Fri, 21 Jul 2023 21:11:33 GMT
Last-Modified: Fri, 21 Jul 2023 21:11:33 GMT
< Strict-Transport-Security: max-age=31536000
Strict-Transport-Security: max-age=31536000
< Served-In-Seconds: 0.002
Served-In-Seconds: 0.002
< Cache-Control: public, max-age=14400
Cache-Control: public, max-age=14400
< CF-Cache-Status: HIT
CF-Cache-Status: HIT
< Age: 549
Age: 549
< Expires: Wed, 23 Aug 2023 22:10:12 GMT
Expires: Wed, 23 Aug 2023 22:10:12 GMT
< Set-Cookie: __cf_bm=PkNHLEZabTk_K9ZSoEsYI8ffSv7RNZYIsY7ykvCzxxE-1692814212-0-AagKbzzk5bl9iMvDTS0kCiXmxTtpcWI6WVXFS1dDkl0qw6Lb41o4WMUJbMSTISiP9d5C0EmMspyHIyIKZFxtnHU=; path=/; expires=Wed, 23-Aug-23 18:40:12 GMT; domain=.every1dns.com; HttpOnly; Secure; SameSite=None
Set-Cookie: __cf_bm=PkNHLEZabTk_K9ZSoEsYI8ffSv7RNZYIsY7ykvCzxxE-1692814212-0-AagKbzzk5bl9iMvDTS0kCiXmxTtpcWI6WVXFS1dDkl0qw6Lb41o4WMUJbMSTISiP9d5C0EmMspyHIyIKZFxtnHU=; path=/; expires=Wed, 23-Aug-23 18:40:12 GMT; domain=.every1dns.com; HttpOnly; Secure; SameSite=None
< Server: cloudflare
Server: cloudflare
< CF-RAY: 7fb54f9dfc4b0aa8-NRT
CF-RAY: 7fb54f9dfc4b0aa8-NRT
< alt-svc: h3=":443"; ma=86400
alt-svc: h3=":443"; ma=86400
<
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
* Connection #0 to host 1.1.1.1 left intact
$ curl -V
curl 8.1.2 (x86_64-apple-darwin22.5.0) libcurl/8.1.2 OpenSSL/1.1.1k zlib/1.2.12
Release-Date: 2023-05-30
Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS HSTS HTTPS-proxy IPv6 Largefile libz NTLM NTLM_WB SSL threadsafe TLS-SRP UnixSockets
Yes, I updated curl to a more advanced version in the latest TestFlight. I didn't expect it to solve this issue as well, but that's a nice bonus.
