New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can't set TLS 1.3 ciphers #3178

Closed
Ricky-Tigg opened this Issue Oct 26, 2018 · 3 comments

Comments

Projects
None yet
2 participants
@Ricky-Tigg

Ricky-Tigg commented Oct 26, 2018

I did this

  • Run command which uses supported OpenSSL's TLS 1.3 cipher suites and downloads file (191 373 B):
$ curl --tls13-ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384 -vOLX POST https://www.wireshark.org/download/docs/wsdg_html.zip
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 2606:4700:20::6819:da15...
* TCP_NODELAY set
* Connected to www.wireshark.org (2606:4700:20::6819:da15) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* failed setting TLS 1.3 cipher suite: (nil)
curl: (59) failed setting TLS 1.3 cipher suite: (nil)
  • Look for expressions 'CURLOPT_SSL_CIPHER_LIST' and 'CURLOPT_TLS13_CIPHERS' – respectively linked to command options --ciphers and --tls13-ciphers – possibly using a command such as 'grep -rnw '/path/to/somewhere/' -e 'pattern''. Along with existing options, --exclude, --include, --exclude-dir flags may be used. Involved expressions cannot be found from Fedora system, on which installation locations are as follow:
$ rpm -ql curl
/usr/bin/curl
/usr/lib/.build-id
/usr/lib/.build-id/19
/usr/lib/.build-id/19/9f4344e87efd0c4c45554fee6c125df7296435
/usr/share/doc/curl
/usr/share/doc/curl/BUGS
/usr/share/doc/curl/CHANGES
/usr/share/doc/curl/FAQ
/usr/share/doc/curl/FEATURES
/usr/share/doc/curl/MANUAL
/usr/share/doc/curl/README
/usr/share/doc/curl/RESOURCES
/usr/share/doc/curl/TODO
/usr/share/doc/curl/TheArtOfHttpScripting
/usr/share/man/man1/curl.1.gz
/usr/share/zsh/site-functions
/usr/share/zsh/site-functions/_curl

I expected the following

  • Command to succeed as curl -vOLX POST https://www.wireshark.org/download/docs/wsdg_html.zip does., since server in that case picks up TLSv1.3 / TLS_AES_256_GCM_SHA384 to be used in SSL connection.
  • Expressions to be found from the system resources.

curl/libcurl version

curl 7.61.1 (x86_64-redhat-linux-gnu) libcurl/7.61.1 OpenSSL/1.1.1 zlib/1.2.11 brotli/1.0.5 libidn2/2.0.5 libpsl/0.20.2 (+libidn2/2.0.5) libssh/0.8.3/openssl/zlib nghttp2/1.34.0

operating system

Fedora 29

additional information

Following command downloaded the file as intended; yet its output seems to contain an amount the following related expressions that might be non-relevant:

* TLSv1.3 (IN), TLS app data, [no content] (0):
{ [1 bytes data]
$ curl -vOLX POST https://www.wireshark.org/download/docs/wsdg_html.zip
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 2606:4700:20::6819:db15...
* TCP_NODELAY set
* Connected to www.wireshark.org (2606:4700:20::6819:db15) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, [no content] (0):
{ [1 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [15 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [3723 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [78 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: OU=Domain Control Validated; OU=PositiveSSL Multi-Domain; CN=ssl380445.cloudflaressl.com
*  start date: Aug 27 00:00:00 2018 GMT
*  expire date: Mar  5 23:59:59 2019 GMT
*  subjectAltName: host "www.wireshark.org" matched cert's "*.wireshark.org"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO ECC Domain Validation Secure Server CA 2
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* TLSv1.3 (OUT), TLS app data, [no content] (0):
} [1 bytes data]
* TLSv1.3 (OUT), TLS app data, [no content] (0):
} [1 bytes data]
* TLSv1.3 (OUT), TLS app data, [no content] (0):
} [1 bytes data]
* Using Stream ID: 1 (easy handle 0x5575da1bf530)
} [5 bytes data]
* TLSv1.3 (OUT), TLS app data, [no content] (0):
} [1 bytes data]
> POST /download/docs/wsdg_html.zip HTTP/2
> Host: www.wireshark.org
> User-Agent: curl/7.61.1
> Accept: */*
> 
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, [no content] (0):
{ [1 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [230 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [230 bytes data]
* TLSv1.3 (IN), TLS app data, [no content] (0):
{ [1 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
} [5 bytes data]
* TLSv1.3 (OUT), TLS app data, [no content] (0):
} [1 bytes data]
* TLSv1.3 (IN), TLS app data, [no content] (0):
{ [1 bytes data]
< HTTP/2 200 
< date: Fri, 26 Oct 2018 08:14:00 GMT
< content-type: application/zip
< content-length: 191373
< set-cookie: __cfduid=dbb187391aed40fbf00894202a1bef9871540541639; expires=Sat, 26-Oct-19 08:13:59 GMT; path=/; domain=.wireshark.org; HttpOnly
< x-frame-options: SAMEORIGIN
< strict-transport-security: max-age=31536000; includeSubDomains; preload
< x-slogan: If it can shock or blind you it's layer 1.
< last-modified: Fri, 26 Oct 2018 07:10:04 GMT
< etag: "2eb8d-5791c68971e64"
< accept-ranges: bytes
< x-slogan: Go deep.
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< server: cloudflare
< cf-ray: 46fb7781a940442d-BRU
< 
{ [949 bytes data]

(then 17 times following between ’ ’)

’* TLSv1.3 (IN), TLS app data, [no content] (0):
{ [1 bytes data]’

 12  186k   12 24204    0     0  32532      0  0:00:05 --:--:--  0:00:05 32532* TLSv1.3 (IN), TLS app data, [no content] (0):
{ [1 bytes data]

(then 56 times following between ’ ’)

’* TLSv1.3 (IN), TLS app data, [no content] (0):
{ [1 bytes data]’

100  186k  100  186k    0     0   195k      0 --:--:-- --:--:-- --:--:--  195k
* Connection #0 to host www.wireshark.org left intact

@bagder bagder changed the title from Valid command cannot be performed completely to Can't set TLS 1.3 ciphers Oct 26, 2018

@bagder

This comment has been minimized.

Member

bagder commented Oct 26, 2018

Try --tls13-ciphers TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384 instead. Works for me.

bagder added a commit that referenced this issue Oct 26, 2018

docs/CIPHERS: fix the TLS 1.3 cipher names
... picked straight from the OpenSSL man page:
https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html

Reported-by: Ricky-Tigg on github
Bug: #3178

bagder added a commit that referenced this issue Oct 26, 2018

openssl: output the correct cipher list on TLS 1.3 error
When failing to set the 1.3 cipher suite, the wrong string pointer would
be used in the error message. Most often saying "(nil)".

Reported-by: Ricky-Tigg on github
Fixes #3178

@bagder bagder added the SSL/TLS label Oct 26, 2018

@Ricky-Tigg

This comment has been minimized.

Ricky-Tigg commented Oct 26, 2018

Applying that unofficial syntax to TLS 1.3 cipher suites, produced an output expected with official syntax.

@bagder

This comment has been minimized.

Member

bagder commented Oct 26, 2018

"unofficial" ? That's the cipher names OpenSSL supports. We don't do any translations in between. If you have problem with the names I would suggest you take that discussion with the OpenSSL team.

bagder added a commit that referenced this issue Oct 27, 2018

docs/CIPHERS: fix the TLS 1.3 cipher names
... picked straight from the OpenSSL man page:
https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html

Reported-by: Ricky-Tigg on github
Bug: #3178

@bagder bagder closed this in 44a9e9f Oct 27, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment