Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Could not use HTTP/3 whenever --ciphers is used #16232

Closed
zzq1015 opened this issue Feb 7, 2025 · 3 comments
Closed

Could not use HTTP/3 whenever --ciphers is used #16232

zzq1015 opened this issue Feb 7, 2025 · 3 comments
Assignees
@icing
Labels
HTTP/3 h3 or quic related

Comments

@zzq1015
Copy link

zzq1015 commented Feb 7, 2025
edited
Loading

I did this

The command I used:
curl --disable -v --http3-only --ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA' https://1.1.1.1/cdn-cgi/trace

*   Trying 1.1.1.1:443...
* failed setting cipher list: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:D
* QUIC connect to 1.1.1.1 port 443 failed: Could not use specified SSL cipher
* Failed to connect to 1.1.1.1 port 443 after 0 ms: Could not use specified SSL cipher
* closing connection #0
curl: (59) failed setting cipher list: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:D

Even if I restrict the length of --ciphers argument, it still doesn't work.
curl --disable -v --http3-only --ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256' https://1.1.1.1/cdn-cgi/trace

*   Trying 1.1.1.1:443...
* failed setting cipher list: ECDHE-ECDSA-AES128-GCM-SHA256
* QUIC connect to 1.1.1.1 port 443 failed: Could not use specified SSL cipher
* Failed to connect to 1.1.1.1 port 443 after 0 ms: Could not use specified SSL cipher
* closing connection #0
curl: (59) failed setting cipher list: ECDHE-ECDSA-AES128-GCM-SHA256

I can specify --tls13-ciphers all I want, no issues, just not --ciphers.

I expected the following

Can HTTP3/QUIC used with TLS1.2 or lower?
If not, --ciphers should be ignored whenever HTTP3/QUIC is used.

curl/libcurl version

multiple versions, I tested 8.11.1, but the problem exists for several versions earlier.
Also for 8.11.1:

curl 8.11.1 (x86_64-pc-linux-gnu) libcurl/8.11.1 OpenSSL/3.3.2 zlib/1.3.1 brotli/1.1.0 zstd/1.5.6 c-ares/1.34.3 libidn2/2.3.7 libpsl/0.21.5 libssh2/1.11.1 nghttp2/1.64.0 nghttp3/1.6.0
Release-Date: 2024-12-11
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp ws wss
Features: alt-svc AsynchDNS brotli HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Largefile libz NTLM PSL SSL threadsafe TLS-SRP TrackMemory UnixSockets zstd

operating system

OpenSUSE Tumbleweed and Amazon Linux 2023
@vszakats vszakats added the HTTP/3 h3 or quic related label Feb 7, 2025
@icing
Copy link
Contributor

icing commented Feb 7, 2025

We made this so we would hear from the people who actually use HTTP/3.😬

@icing icing self-assigned this Feb 7, 2025
icing added a commit to icing/curl that referenced this issue Feb 7, 2025
@icing
openssl-quic, ignore --ciphers for h3
27d5224 
OpenSSL QUIC method errors on setting TLSv1.2 ciphers, where other
methods do not. See curl#16232.

Refrain setting --ciphers when min TLS version is 1.3 or higher.
Refrain setting --tls13-ciphers when max TLS version is less than 1.3.
Add 2 test cases.
@icing icing mentioned this issue Feb 7, 2025
Closed
@icing
Copy link
Contributor

icing commented Feb 7, 2025

This is a new quirk in OpenSSL's QUIC method, which refuses setting the ciphers where other OpenSSL TLS methods do not. Nice one.

I propose #16235 as a fix for this, ignoring setting --ciphers when the minimum TLS version is 1.3 or higher.

@bagder bagder closed this as completed in cbf8fec Feb 7, 2025
@zzq1015
Copy link
Author

zzq1015 commented Feb 7, 2025
edited
Loading

That was QUIC! Thank y'all. It took about 9 hours to fix this issue. Now waiting for the next release...

BTW, I really doubt anyone will explicitly use --ciphers while using HTTP/3, but I configured both ciphers and tls13-ciphers in ~/.curlrc and then I encountered this issue.

I wonder if there's a way to undo the ciphers and tls13-ciphers in the config file. Maybe --no-ciphers and --no-tls13-ciphers or something like that?

@travislee89 travislee89 mentioned this issue Feb 14, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@icing icing

Labels
HTTP/3 h3 or quic related
Milestone
No milestone
Development

No branches or pull requests
3 participants
@icing @vszakats @zzq1015