Package: libcurl3-gnutls Version: 7.64.0-4 Severity: normal Tags: upstream Dear Maintainer,
Debian Buster ships a recent version of GnuTLS which supports TLS 1.3. Git uses GnuTLS for TLS through libcurl, so I had expected that it also uses TLS 1.3 for Git. Since early last year, I added TLS 1.3 on GitHub.com as announced in https://github.blog/changelog/2019-01-15-tls13-rollout/. Testing shows it's not used though: vagrant@buster:~$ GIT_CURL_VERBOSE=1 git ls-remote https://github.com/torvalds/linux.git * Couldn't find host github.com in the .netrc file; using defaults * Trying 140.82.118.4... * TCP_NODELAY set * Connected to github.com (140.82.118.4) port 443 (#0) * found 384 certificates in /etc/ssl/certs * ALPN, offering h2 * ALPN, offering http/1.1 * SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256 * server certificate verification OK * server certificate status verification SKIPPED * common name: github.com (matched) * server certificate expiration date OK * server certificate activation date OK * certificate public key: RSA * certificate version: #3 * subject: businessCategory=Private Organization,jurisdictionOfIncorporationCountryName=US,jurisdictionOfIncorporationStateOrProvinceName=Delaware,serialNumber=5157550,C=US,ST=California,L=San Francisco,O=GitHub\, Inc.,CN=github.com * start date: Tue, 08 May 2018 00:00:00 GMT * expire date: Wed, 03 Jun 2020 12:00:00 GMT * issuer: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 Extended Validation Server CA * compression: NULL * ALPN, server accepted to use http/1.1 > GET /torvalds/linux.git/info/refs?service=git-upload-pack HTTP/1.1 As can be seen here with the "* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256" bit, only TLS 1.2 is used. After further investigation, I found the problem in Curl, and submitted a fix: https://github.com/curl/curl/pull/5223. The fix was merged & I also manually tested this by patching the version of Curl shipping with Buster. My question here is if you all are willing to consider including the patch I sent to curl to also be applied to curl in Buster. Including this fix would be a huge help, not only for us at GitHub.com but also all other Git hosting sites. Git is a significant user of curl with GnuTLS, but also all other users are affected there as well. Why is this helpful for Git hosting sites you might ask? The world of TLS is ever evolving, and even today we see a practical examples that one of the biggest limitations is old legacy Git clients that don't support modern TLS configurations, like ECDHE. We would love to not have a similar problem in the future in a few years if it turns out TLS 1.2 needs to be deprecated and everyone needs to switch to TLS 1.3. By reporting this now I hope that within the Buster lifetime, TLS 1.3 can be used for Git as well. -- System Information: Debian Release: 10.3 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-8-amd64 (SMP w/2 CPU cores) Kernel taint flags: TAINT_CRAP Locale: LANG=en_US.UTF-8, LC_CTYPE=UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libcurl3-gnutls depends on: ii libc6 2.28-10 ii libcom-err2 1.44.5-1+deb10u3 ii libgnutls30 3.6.7-4+deb10u3 ii libgssapi-krb5-2 1.17-3 ii libidn2-0 2.0.5-1+deb10u1 ii libk5crypto3 1.17-3 ii libkrb5-3 1.17-3 ii libldap-2.4-2 2.4.47+dfsg-3+deb10u1 ii libnettle6 3.4.1-1 ii libnghttp2-14 1.36.0-2+deb10u1 ii libpsl5 0.20.2-2 ii librtmp1 2.4+20151223.gitfa8646d.1-2 ii libssh2-1 1.8.0-2.1 ii zlib1g 1:1.2.11.dfsg-1 Versions of packages libcurl3-gnutls recommends: ii ca-certificates 20190110 libcurl3-gnutls suggests no packages. -- no debconf information
