Could not use HTTP/3 whenever --ciphers is used

[zzq1015]

I did this

The command I used:
curl --disable -v --http3-only --ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA' https://1.1.1.1/cdn-cgi/trace

*   Trying 1.1.1.1:443...
* failed setting cipher list: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:D
* QUIC connect to 1.1.1.1 port 443 failed: Could not use specified SSL cipher
* Failed to connect to 1.1.1.1 port 443 after 0 ms: Could not use specified SSL cipher
* closing connection #0
curl: (59) failed setting cipher list: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:D

Even if I restrict the length of --ciphers argument, it still doesn't work.
curl --disable -v --http3-only --ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256' https://1.1.1.1/cdn-cgi/trace

*   Trying 1.1.1.1:443...
* failed setting cipher list: ECDHE-ECDSA-AES128-GCM-SHA256
* QUIC connect to 1.1.1.1 port 443 failed: Could not use specified SSL cipher
* Failed to connect to 1.1.1.1 port 443 after 0 ms: Could not use specified SSL cipher
* closing connection #0
curl: (59) failed setting cipher list: ECDHE-ECDSA-AES128-GCM-SHA256

I can specify --tls13-ciphers all I want, no issues, just not --ciphers.

I expected the following

Can HTTP3/QUIC used with TLS1.2 or lower?
If not, --ciphers should be ignored whenever HTTP3/QUIC is used.

curl/libcurl version

multiple versions, I tested 8.11.1, but the problem exists for several versions earlier.
Also for 8.11.1:

curl 8.11.1 (x86_64-pc-linux-gnu) libcurl/8.11.1 OpenSSL/3.3.2 zlib/1.3.1 brotli/1.1.0 zstd/1.5.6 c-ares/1.34.3 libidn2/2.3.7 libpsl/0.21.5 libssh2/1.11.1 nghttp2/1.64.0 nghttp3/1.6.0
Release-Date: 2024-12-11
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp ws wss
Features: alt-svc AsynchDNS brotli HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Largefile libz NTLM PSL SSL threadsafe TLS-SRP TrackMemory UnixSockets zstd

operating system

OpenSUSE Tumbleweed and Amazon Linux 2023

[icing]

We made this so we would hear from the people who actually use HTTP/3.😬

[icing]

This is a new quirk in OpenSSL's QUIC method, which refuses setting the ciphers where other OpenSSL TLS methods do not. Nice one.

I propose #16235 as a fix for this, ignoring setting --ciphers when the minimum TLS version is 1.3 or higher.

[zzq1015]

That was QUIC! Thank y'all. It took about 9 hours to fix this issue. Now waiting for the next release...

BTW, I really doubt anyone will explicitly use --ciphers while using HTTP/3, but I configured both ciphers and tls13-ciphers in ~/.curlrc and then I encountered this issue.

I wonder if there's a way to undo the ciphers and tls13-ciphers in the config file. Maybe --no-ciphers and --no-tls13-ciphers or something like that?