-
Notifications
You must be signed in to change notification settings - Fork 212
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Require TLS when using curl #1277
Conversation
Our usage of `curl` could be vulnerable to protocol downgrade attacks. This change updates most of our usage of curl--especially when fetching executable resources--with the following command-line flags: * `--proto '=https'` forces use of HTTPS. This ensures that dropping `https://` from a URL will cause the command to fail instead of reverting to use unsecured HTTP. * `--tlsv1.3` disables the use of older TLS versions. This flag was added to curl in 2016, which now seems old enough to be a reasonable default. * `-f|--fail` ensures that curl does not output anything to stdout when a non-2xx response is received. * `-S|--show-error` causes errors to be printed to stderr (when `-s|--silent` is used). Related to linkerd/linkerd2#7593 Signed-off-by: Oliver Gould <[email protected]>
Signed-off-by: Oliver Gould <[email protected]>
Signed-off-by: Oliver Gould <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks that you mostly targeted 2.10 docs and not 2.11?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On macOS Big Sur, these commands fail because the default version of LibreSSL doesn't have TLS 1.3 support built in.
--tlsv1.2
works, though. Do we need to have two sets of instructions like we do in other places?
We should update this to be |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Edit: oops I see @cpretzer beat me to the scoop.
On my 2020 M1 Mac running Big Sur (i.e. reasonably up-to-date), I get:
❯ curl --proto '=https' --tlsv1.3 -sSfL https://buoyant.cloud/install
curl: (4) LibreSSL was built without TLS 1.3 support
@cpretzer does this look okay now? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 🚢
Apologies for the late review here. The updated
It's likely I could install a compatible version of |
@klingerf this is flagging that this isn't using https! So it's working as intended :) we should update that link to be https://buoyant.cloud... |
#1277 missed one URL. This fixes it. Signed-off-by: Oliver Gould <[email protected]>
Our usage of
curl
could be vulnerable to protocol downgrade attacks. Thischange updates most of our usage of curl--especially when fetching executable
resources--with the following command-line flags:
--proto '=https'
forces use of HTTPS. This ensures that droppinghttps://
from a URL will cause the command to fail instead of reverting to use
unsecured HTTP.
--tlsv1.2
disables the use of older TLS versions.-f|--fail
ensures that curl does not output anything to stdout when anon-2xx response is received.
-S|--show-error
causes errors to be printed to stderr (when-s|--silent
is used).
Related to linkerd/linkerd2#7593
Signed-off-by: Oliver Gould [email protected]