From: Zbigniew Jędrzejewski-Szmek Date: Tue, 7 Apr 2026 11:25:08 +0000 (+0200) Subject: journal-upload: require TLS 1.2 as the minimum version X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=93ee4308d99847f67f638f314a186b8f15bf08dc;p=thirdparty%2Fsystemd.git journal-upload: require TLS 1.2 as the minimum version RFC 8996 says: > This document formally deprecates Transport Layer Security (TLS) > versions 1.0 (RFC 2246) and 1.1 (RFC 4346). Accordingly, those > documents have been moved to Historic status. These versions lack > support for current and recommended cryptographic algorithms and > mechanisms, and various government and industry profiles of > applications using TLS now mandate avoiding these old TLS versions. > TLS version 1.2 became the recommended version for IETF protocols in > 2008 (subsequently being obsoleted by TLS version 1.3 in 2018), > providing sufficient time to transition away from older versions. > Removing support for older versions from implementations reduces the > attack surface, reduces opportunity for misconfiguration, and > streamlines library and product maintenance. This code probably only talks to our own receiver which uses libmicrohttpd. That in turn delegates to GnuTLS, which supports 1.2, 1.3, 3.0, etc. --- diff --git a/src/journal-remote/journal-upload.c b/src/journal-remote/journal-upload.c index 88f5cf71398..99de0fc93f5 100644 --- a/src/journal-remote/journal-upload.c +++ b/src/journal-remote/journal-upload.c @@ -302,8 +302,8 @@ int start_upload(Uploader *u, return -EXFULL; } - if (arg_key || arg_trust) - (void) easy_setopt(curl, LOG_WARNING, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1); + if (startswith(u->url, "https://")) + (void) easy_setopt(curl, LOG_WARNING, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2); u->easy = TAKE_PTR(curl); } else {