-
-
Notifications
You must be signed in to change notification settings - Fork 6.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
--ciphers
may not properly set --tls13-ciphers
#13873
Comments
What's the expectation for the "--ciphers" alike..? Mere pass-through? |
The situation with the cipher options is not as straightforward as one might expect, because handling of these options differ for each SSL backends that libcurl is build against. For some backends (e.g. mbedtls) the Due to this the format of the When TLSv1.3 was introduced, openssl added a separate option in their api for setting TLSv1.3 ciphers, so libcurl accommodated for that by introducing the This has also the effect that when using the openssl backend, setting the So the cipher options are not as consistent as one might hope for, due to the idiosyncrasies of the different SSL backends. The situation could be improved, for example libcurl could pre-parse the options so that the expected format and behavior could be made more consistent across the board. That would be not without downsides however (BC breaking changes, extra overhead, added complexity in libcurl), and even then it would not be a panacea for all SSL backends. For the moment the best you can do, is to check which SSL backend is being used and adjust the cipher options according to the documentation: https://curl.se/docs/ssl-ciphers.html Footnotes
|
So simply put, the current situation is simply havoc... Making `curl` to wrap-around such idiosyncrasies is possible and should perfectly work mostly. |
--ciphers
may not properly set --tls13-ciphers
Server receives:
This value Version:
This has probably already been corrected in newer versions, but I thought it appropriate to leave the comment here, as I found some mentions of this issue. |
"TLS_EMPTY_RENEGOTIATION_INFO_SCSV" is not directly related to this issue. (CLI of `curl`) I have a writing pending for the "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" trouble. |
Also I believe using "--ciphers" to set "--tls13-ciphers" is no-op: |
The current behavior ("--ciphers", "--tls13-ciphers" each independent) may feel tricky.
Would it be more appropriate to readapt the design?
(or maybe better explain the rationale..?)
E.g.
--tls13-ciphers "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256"
--ciphers "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256"
.
--tls13-ciphers "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256" --ciphers "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
--ciphers "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
See also:
"--ciphers" may include other, unspecified ciphers in TLS handshake
https://github.com/curl/curl/issues/7198
.
Clarify setting TLS 1.3 ciphers using different backends
https://github.com/curl/curl/issues/3938
https://github.com/curl/curl/issues/3077#issuecomment-426561378
https://github.com/curl/curl/issues/2435
Test site: https://browserleaks.com/tls
The text was updated successfully, but these errors were encountered: