Skip to content

TLS: use distinct ciphersuites and extensions for TLS 1.2 and TLS 1.3 #24316

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

TLS: use distinct ciphersuites and extensions for TLS 1.2 and TLS 1.3 #24316

wants to merge 2 commits into from
+98 −36

Conversation

jedisct1
Copy link
Contributor

@jedisct1 jedisct1 commented Jul 1, 2025

Do not try to use TLS 1.3-specific ciphersuites and extensions with TLS 1.2. And the other way round.

If a TLS 1.3 handshake fails, retry with TLS 1.2.

This fixes connections with hosts such as ziglang.freetls.fastly.net

@andrewrk andrewrk self-requested a review July 1, 2025 14:19
@jedisct1 jedisct1 closed this Jul 1, 2025
@mlugg
Copy link
Member

mlugg commented Jul 1, 2025

The added comptime parameters aren't okay IMO. They mean that the whole init function could be duplicated in the binary (once for TLS 1.2, once for 1.3). Instead, just have one normal runtime parameter, and put the small amount of added logic behind conditionals as needed.

@andrewrk
Copy link
Member

andrewrk commented Jul 1, 2025

In my branch I have the entire Client being non-generic, including the init function. Since TLS client is a leaf node I can port that work to be mergeable before the whole sub-project is finished.

@mlugg
Copy link
Member

mlugg commented Jul 1, 2025

(for context, this bug is blocking adding a tarball mirror; see ziglang/www.ziglang.org#492.)

@jedisct1
Copy link
Contributor Author

jedisct1 commented Jul 1, 2025

The problem is the retry logic (jedisct1@a9c9e83) . http/Client.zig doesn't looks like the right place for it, but I don't see that being in tls/Client.zig either.

@jedisct1 jedisct1 reopened this Jul 1, 2025
jedisct1 added 2 commits July 1, 2025 23:00
@jedisct1
Use distinct ciphersuites and key exchange mechanisms for TLS 1.2 and…
4151231 
… 1.3

Do not try to use TLS 1.3-specific ciphersuites and extensions with
TLS 1.2. And the other way round.

If a TLS 1.3 handshake fails, retry with TLS 1.2.

This fixes connections with hosts such as ziglang.freetls.fastly.net
@jedisct1
Try with TLS 1.2 if a TLS 1.3 handshake fails
a9c9e83
mlugg added a commit to ziglang/www.ziglang.org that referenced this pull request Jul 2, 2025
@mlugg
check-mirrors: run on GitHub-hosted runner
81ba09b 
Minimizing the amount of code running on the website machine is
important to avoid potential security vulnerabilities.

Since we now need to fetch Zig (rather than it being preinstalled), also
update `check-mirrors` to the latest Zig dev version. We'll want to do
this soon anyway due to ziglang/zig#24316 blocking #492.
mlugg added a commit to ziglang/www.ziglang.org that referenced this pull request Jul 2, 2025
@mlugg
check-mirrors: run on GitHub-hosted runner
727b984 
Minimizing the amount of code running on the website machine is
important to avoid potential security vulnerabilities.

Since we now need to fetch Zig (rather than it being preinstalled), also
update `check-mirrors` to the latest Zig dev version. We'll want to do
this soon anyway due to ziglang/zig#24316 blocking #492.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewrk andrewrk Awaiting requested review from andrewrk

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jedisct1 @mlugg @andrewrk