Curl with TLSv1.3 and openSSL on macOS

This took me some time to figure out as I couldn’t find that much resources about it online. It all starts with me trying to be a good citizen of the web and use a modern configuration for my web server. Mozilla provides a configuration service where the “modern” one only support TLSv1.3. This is great, I think. Maybe not for everyone, right now, if you want to support old browsers, but for my use case it’s great. I enabled it on one of my sites to start with and tested it in Firefox and called it a day. A couple of weeks later I tried it with curl on my macOS Mojave machine.

$ curl --tlsv1.3 https://bolmaster2.com
curl: (4) LibreSSL was built without TLS 1.3 support

Hm. I thought this should work. Here I’m using the pre-shipped curl with macOS Mojave which is using LibreSSL 2.6.5. Check it by running:

$ curl --version
curl 7.54.0 (x86_64-apple-darwin18.0) libcurl/7.54.0 LibreSSL/2.6.5 zlib/1.2.11 nghttp2/1.24.1
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz HTTP2 UnixSockets HTTPS-proxy

I turns out that LibreSSL doesn’t have support for TLSv1.3.

Building curl with openssl

So, I thought. Why isn’t curl using openssl? I’m using openssl on my dev machine, installed with homebrew, so I should just be able to use that. One thing that’s easy to miss here is that homebrew’s default openssl formula is using version 1.0.2 and openssl first started to support TLSv1.3 on version 1.1.1. Homebrew has a separate formula for openssl 1.1.1 called [email protected].

So you need to use openssl 1.1.1. That shouldn’t be a problem. Compiling curl with openssl 1.1.1 was a bit of a PITA because of curl dependencies was also needed to be compiled with openssl 1.1.1. Anyway, the homebrew maintainers is starting to move formulas to compile with [email protected]. So when you read this, there’s probably not gonna be a problem. Then you should just be able to run:

brew install curl-openssl

UPDATE: The homebrew-core curl-openssl formula now uses [email protected]. So use that instead of my custom tap.

But as of now, 2019-08-30, that will compile with the old openssl and thus not work. So I created a tap using [email protected]. It updates the openssl dependency to [email protected]. Until those official formulas starts using [email protected] this tap will still be valid:

Install it like this:

brew tap bolmaster2/curl-openssl
brew install [email protected]

Running:

/usr/local/opt/[email protected]/bin/curl --version

…should now yield something like this:

curl 7.65.3 (x86_64-apple-darwin18.7.0) libcurl/7.65.3 OpenSSL/1.1.1c zlib/1.2.11 brotli/1.0.7 c-ares/1.15.0 libidn2/2.2.0 libssh2/1.9.0 nghttp2/1.39.2 librtmp/2.3
Release-Date: 2019-07-19
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz Metalink NTLM NTLM_WB SPNEGO SSL TLS-SRP UnixSockets

Resources