Skip to content

rustup TLS warning with newer curl versions (v8.10.0+) #4045

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
2 tasks done
SergioSierraJr opened this issue Oct 8, 2024 · 2 comments · Fixed by #4046
Closed
2 tasks done

rustup TLS warning with newer curl versions (v8.10.0+) #4045

SergioSierraJr opened this issue Oct 8, 2024 · 2 comments · Fixed by #4046
Assignees
@rami3l
Labels
bug
Milestone
1.28.0

Comments

@SergioSierraJr
Copy link

SergioSierraJr commented Oct 8, 2024
edited by rustbot
Loading

Verification

Problem

Basically from what I was told by a user on the discord server, rustups check depends on the help text which has apparently changed so it doesnt see the TLS flag as a possibility. This is an issue with curl because of how it changed.

Steps

  1. run curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
  2. thats it you just get the following error messages when you run the script
Warning: Not enforcing strong cipher suites for TLS, this is potentially less secure
Warning: Not enforcing TLS v1.2, this is potentially less secure

Possible Solution(s)

Though not a solution, running this before running the script appears to fix the issue

export RUSTUP_TLS_CIPHERSUITES="TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECD
SA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-A
ES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384"

Notes

Apparently, the commit that caused this issue was
curl/curl@9a0cf56#diff-c7bff4c78be0ebe9d665d8a58b8794215b1b679d6e6719616e1738f1d6ca6570L53

Rustup version

Affects curl versions 8.10.0 and above

Installed toolchains

Nonapplicable, first time installing.

OS version

Alpine 8.20
@djc djc changed the title Rutup tls warning rustup TLS warning with newer curl versions Oct 9, 2024
@rami3l rami3l changed the title rustup TLS warning with newer curl versions rustup TLS warning with newer curl versions (v8.10.0+) Oct 11, 2024
@rami3l
Copy link
Member

rami3l commented Oct 11, 2024
edited
Loading

@SergioSierraJr Thanks for filing this issue! Yes, we're using --help output since it's the easiest way so far to check whether a flag is supported:

rustup/rustup-init.sh

Lines 641 to 645 in a497b15

_err=$(curl $_retry --proto '=https' --tlsv1.2 --ciphers "$_ciphersuites" --silent --show-error --fail --location "$1" --output "$2" 2>&1)
_status=$?
else
warn "Not enforcing strong cipher suites for TLS, this is potentially less secure"
if ! check_help_for "$3" curl --proto --tlsv1.2; then

If I understand you correctly, did you mean this filter is too narrow?

rustup/rustup-init.sh

Line 709 in a497b15

if "$_cmd" --help | grep -q 'For all options use the manual or "--help all".'; then

... if so then indeed, I think '"--help all"' would suffice.

@rami3l
Copy link
Member

rami3l commented Oct 11, 2024

@rustbot claim

@rami3l rami3l added this to the 1.28.0 milestone Oct 11, 2024
@rami3l rami3l mentioned this issue Oct 11, 2024
Merged
@djc djc mentioned this issue Nov 11, 2024
Closed
@mjgallag mjgallag mentioned this issue Dec 12, 2024
Merged
6 tasks
@rami3l rami3l mentioned this issue Dec 29, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rami3l rami3l

Labels
bug
Projects
None yet
Milestone
1.28.0
Development

Successfully merging a pull request may close this issue.

fix(rustup-init/sh): fix incorrect TLS warning with curl v8.10 rust-lang/rustup
2 participants
@rami3l @SergioSierraJr