Rustup: Support HTTP over TLS 1.3 on rustup.rs
The maximum TLS version supported is currently 1.2. TLS 1.3 delivers security and performance benefits.
In terms of security, the distribution mechanism's security currently depends on TLS. Only with TLS 1.3 and the appropriate certificate practical downgrade attacks can be prevented. https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/february/downgrade-attack-on-tls-1.3-and-vulnerabilities-in-major-tls-libraries/
sanmai-NL
All 8 comments
The rustup website is managed on EC2 - do you happen to know if TLS1.3 is supported by AWS?
kinnison
on 18 Mar 2019
@kinnison: I don't know. I have understood AWS uses the s2n implementation for TLS and the s2n maintainership is actively working on TLS 1.3 support (https://github.com/awslabs/s2n/issues/388).
sanmai-NL
on 18 Mar 2019
I've re-checked and cloudfront currently still don't support TLS1.3
kinnison
on 10 Nov 2019
AFAICT TLS1.3 support is working now.
BryanQuigley
on 28 Nov 2020
Do we enforce TLS 1.3 though?
sanmai-NL
on 28 Nov 2020
Do we enforce TLS 1.3 though?
Right now it would not be appropriate to do so because of corporate proxies etc. We will use 1.3 if it's available by preference. I imagine if a system configured openssl to require 1.3 we'd honour that (I think we read the system openssl.cnf)
kinnison
on 28 Nov 2020
There may be some work to do in rustup-init.sh to look for support in system curl/wget though actually. I'll open an issue for that.
kinnison
on 28 Nov 2020
I've filed #2581 to continue the work
kinnison
on 28 Nov 2020
Related issues
netgusto
路
4Comments
durka
路
3Comments
fenhl
路
4Comments
kornelski
路
3Comments
matthiaskrgr
路
3Comments
Most helpful comment
AFAICT TLS1.3 support is working now.