This took me some time to figure out as I couldn’t find that much resources about it online. It all starts with me trying to be a good citizen of the web and use a modern configuration for my web server. Mozilla provides a configuration service where the “modern” one only support TLSv1.3. This is great, I think. Maybe not for everyone, right now, if you want to support old browsers, but for my use case it’s great. I enabled it on one of my sites to start with and tested it in Firefox and called it a day. A couple of weeks later I tried it with
curl on my macOS Mojave machine.
$ curl --tlsv1.3 https://bolmaster2.com curl: (4) LibreSSL was built without TLS 1.3 support
Hm. I thought this should work. Here I’m using the pre-shipped
curl with macOS Mojave which is using LibreSSL 2.6.5. Check it by running:
$ curl --version curl 7.54.0 (x86_64-apple-darwin18.0) libcurl/7.54.0 LibreSSL/2.6.5 zlib/1.2.11 nghttp2/1.24.1 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz HTTP2 UnixSockets HTTPS-proxy
I turns out that LibreSSL doesn’t have support for TLSv1.3.
Building curl with openssl
So, I thought. Why isn’t
curl using openssl? I’m using openssl on my dev machine, installed with homebrew, so I should just be able to use that. One thing that’s easy to miss here is that homebrew’s default openssl formula is using version
1.0.2 and openssl first started to support TLSv1.3 on version
1.1.1. Homebrew has a separate formula for openssl 1.1.1 called [email protected].
So you need to use openssl 1.1.1. That shouldn’t be a problem. Compiling curl with openssl 1.1.1 was a bit of a PITA because of
curl dependencies was also needed to be compiled with openssl
1.1.1. Anyway, the homebrew maintainers is starting to move formulas to compile with
[email protected]. So when you read this, there’s probably not gonna be a problem. Then you should just be able to run:
brew install curl-openssl
UPDATE: The homebrew-core
curl-openssl formula now uses
[email protected]. So use that instead of my custom tap.
But as of now, 2019-08-30, that will compile with the old openssl and thus not work. So I created a tap using
[email protected]. It updates the
openssl dependency to
[email protected]. Until those official formulas starts using
[email protected] this tap will still be valid:
Install it like this:
brew tap bolmaster2/curl-openssl brew install [email protected]
/usr/local/opt/[email protected]/bin/curl --version
…should now yield something like this:
curl 7.65.3 (x86_64-apple-darwin18.7.0) libcurl/7.65.3 OpenSSL/1.1.1c zlib/1.2.11 brotli/1.0.7 c-ares/1.15.0 libidn2/2.2.0 libssh2/1.9.0 nghttp2/1.39.2 librtmp/2.3 Release-Date: 2019-07-19 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp Features: AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz Metalink NTLM NTLM_WB SPNEGO SSL TLS-SRP UnixSockets