-
-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Schannel regression: CURLOPT_SSL_CIPHER_LIST has no effect on Windows 10 >= 10.0.17763 #10741
Comments
I've submitted a fix in PR #10746 which should allow TLS < 1.3 ciphers to be set as long as TLS 1.3 ciphers are not set. I'm not sure if it's possible to combine the two because they use different credential structs and we are only allowed to pass a single credential struct to schannel. The PR is marked as draft for now. If anyone can investigate further that would be helpful. /cc @wyattoday |
Does this bug mean that when running on Windows 10 1809+, curl (with Schannel) is forcing TLS 1.3 with no option to use TLS 1.2? Or, requiring |
Nope, it doesn’t mean that. This is about cipher lists. See my reply to @jay PR (here: #10746 (comment) ) for my view on this (not a bug) and possible remedies if the consensus is that this is a bug (remedy 3 is probably the most secure of the insecure options). |
- If the user set a legacy algorithm list (CURLOPT_SSL_CIPHER_LIST) then use the SCHANNEL_CRED legacy structure to pass the list to Schannel. - If the user set both a legacy algorithm list and a TLS 1.3 cipher list then abort. Although MS doesn't document it, Schannel will not negotiate TLS 1.3 when SCHANNEL_CRED is used. That means setting a legacy algorithm list limits the user to earlier versions of TLS. Prior to this change, since 8beff43 (precedes 7.85.0), libcurl would ignore legacy algorithms in Windows 10 1809 and later. Reported-by: zhihaoy@users.noreply.github.com Fixes curl#10741 Closes #xxxx
- If the user set a legacy algorithm list (CURLOPT_SSL_CIPHER_LIST) then use the SCHANNEL_CRED legacy structure to pass the list to Schannel. - If the user set both a legacy algorithm list and a TLS 1.3 cipher list then abort. Although MS doesn't document it, Schannel will not negotiate TLS 1.3 when SCHANNEL_CRED is used. That means setting a legacy algorithm list limits the user to earlier versions of TLS. Prior to this change, since 8beff43 (precedes 7.85.0), libcurl would ignore legacy algorithms in Windows 10 1809 and later. Reported-by: zhihaoy@users.noreply.github.com Fixes curl#10741 Closes curl#10746
I did this
Set
CURLOPT_SSL_CIPHER_LIST
on a connection that uses Schannel, TLS 1.2, and make a connection to an HTTPS server.I expected the following
Investigate its Hello message, the cipher suites should match my settings.
curl/libcurl version
libcurl 7.85.0 to the latest
operating system
Fails (
CURLOPT_SSL_CIPHER_LIST
has no effect) on Windows 10 build 17763 and above, such as 10 Enterprise 1809 and 20H1.Works (
CURLOPT_SSL_CIPHER_LIST
is in effect) on Windows 10 build 14393, such as Windows Server 2016Cause analysis
The problem was introduced by 8beff43. The change moved this chunk of code:
curl/lib/vtls/schannel.c
Lines 503 to 510 in 801bd51
curl/lib/vtls/schannel.c
Lines 1006 to 1021 in cd95ee9
curl/lib/vtls/schannel.c
Lines 790 to 792 in cd95ee9
CURLOPT_SSL_CIPHER_LIST
under that combined condition was lost.The text was updated successfully, but these errors were encountered: