Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL/TLS requirements #1232

Open
szepeviktor opened this issue Aug 19, 2023 · 7 comments
Open

SSL/TLS requirements #1232

szepeviktor opened this issue Aug 19, 2023 · 7 comments
Labels
enhancement New feature or request help wanted Extra attention is needed

Comments

@szepeviktor
Copy link
Contributor

szepeviktor commented Aug 19, 2023
edited

Hello!
I use these wget options to download stuff.

wget --secure-protocol=TLSv1_3 --max-redirect=1 --retry-on-host-error --retry-connrefused --tries=3

I think all of these can be told to lychee except minimum TLS version.

Do you plan to support that?
@mre
Copy link
Member

mre commented Aug 23, 2023
edited

Yeah, good idea.
Some of it is already supported.

We have

  • --max-redirects, which defaults to 5
  • --max-retries, which defaults to 3

We are missing

  • --retry-on-host-error: I'm undecided about that one. The docs say: Consider host errors, such as “Temporary failure in name resolution”, as non-fatal, transient errors”. From my experience, DNS errors are usually not resolved within a couple seconds in between retries, so maybe the use for that is limited?
  • --retry-connrefused: Same here; connection issues are rarely transient, from what I saw.

For reference, our retry handling is at https://github.com/lycheeverse/lychee/blob/master/hee-lib/src/retry.rs.

In regard to the TLS version, did I understand correctly that you'd like to have a way to specify the TLS version?

We can discuss the missing options.

@szepeviktor
Copy link
Contributor Author

szepeviktor commented Aug 23, 2023
edited

you'd like to have a way to specify the TLS version?

I'd like to count only TLSv1.3 compatible webservers as valid links.
Apache httpd supports it 5 years ago.

@mre
Copy link
Member

mre commented Aug 23, 2023

Interesting use-case

@mre
Copy link
Member

mre commented Aug 27, 2023

I'm not against adding support for that, but I will not add it myself. I'd appreciate a pull request, though.
The way I currently think about it would be to add --min-tls arg, which supports constants such as --min-tls=TLSv1_3. We could reuse the wget naming conventions for the variants if it makes sense. Open for suggestions.

@mre mre added enhancement New feature or request help wanted Extra attention is needed labels Aug 27, 2023
@szepeviktor
Copy link
Contributor Author

All right.
For me a Hello World is impossible in Rust as I do not know the syntax.

@HU90m
Copy link
Contributor

HU90m commented Sep 4, 2023

The implementation isn't too complicated.

There is, however, one hicup: reqwest::ClientBuilder::min_tls_version states the following.

A value of tls::Version::TLS_1_3 will cause an error with the native-tls/default-tls backend. This does not mean the version isn’t supported, just that it can’t be set as a minimum due to technical limitations.

Looking at seanmonstar/reqwest#1315, it appears this is because native-tls doesn't allow one to specify the use of TLSv1_3, and so it can't be set as the minimum version.

HU90m added a commit to HU90m/lychee that referenced this issue Sep 4, 2023
@HU90m
WIP implementation of TLS min version see lycheeverse#1232
84a7d5c
@mre
Copy link
Member

mre commented Sep 4, 2023

Good progress. I don't know what we could do with TLS 1.3. Maybe we print an error with nativetls and support it with rustls?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mre @szepeviktor @HU90m