Forum How do I...?

How I do configure Prince to use TLS 1.2 when retrieving remote files over HTTPS?

paul.buckle
Hello

I am using 'prince-10r3-1.x86_64' on 'Red Hat Enterprise Linux Server release 6.7 (Santiago)'.

When retrieving a remote file over HTTPS with a command syntax similar to below, Prince is using TLS 1.0:

$prince https://www.myserver.com/index.html -o /tmp/index.pdf

www.myserver.com supports TLS 1.0, 1.1 and 1.2, but in line with current best security practices, I need to remove support for TLS 1.0 in the near future.

Before doing so, I obviously need to be able to configure Prince to use a later version of TLS.

By default, a curl command for the same resource will also use TLS 1.0 but curl offers the "--tlsv1.2" option change this behaviour.

Is a similar option available in Prince?

Thanks in advance.

Paul

Edited by paul.buckle

mikeday
Does curl automatically use TLS 1.2 when support for TLS 1.0 is removed? Because if so, hopefully Prince should also do likewise.
paul.buckle
So with myserver.com configured to support TLS 1.2 only:

Curl cannot connect by default:

$curl https://www.myserver.com/index.html
curl: (35) SSL connect error

Curl can connect if I tell it to use TLS 1.2:

$curl --tlsv1.2 https://www.myserver.com/index.html

But critically, Prince cannot connect:

$prince https://www.myserver.com/index.html -o /tmp/index.pdf
prince: https://www.myserver.com/index.html: error: SSL connect error
prince: https://www.myserver.com/index.html: error: could not load input file
prince: error: no input documents to process

If Prince is effectively using curl to retrieve remote resources, then I need to be able to pass similar parameters to Prince, in order to control the version of TLS it will use.

Edited by paul.buckle

mikeday
Right, we will check these options and see what we can do.
paul.buckle
Many thanks Mike.
paul.buckle
Hello

May I ask if there's any progress on this request?

Thank you.

Paul

Edited by paul.buckle

paul.buckle
Hello

May I ask if there's any progress on this request?

Thank you.

Paul
mikeday
Sorry for the delay, we will take another look. Lots of curl issues to fix lately. :)
mikeday
We have added an --ssl-version option and it will be available in the next build, hopefully tomorrow.
mikeday
The new latest build has an --ssl-version option which can take values like "tlsv1.2" similar to curl.
paul.buckle
Great, thank you Mike.

How long does it typically take for a development build to become an official release?
mikeday
We are planning to release Prince 11 before the end of the year, but the latest builds are stable and ready to use now.