Can't set TLS 1.3 ciphers

[Ricky-Tigg]

I did this

• Run command which uses supported OpenSSL's TLS 1.3 cipher suites and downloads file (191 373 B):

$ curl --tls13-ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384 -vOLX POST https://www.wireshark.org/download/docs/wsdg_html.zip
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 2606:4700:20::6819:da15...
* TCP_NODELAY set
* Connected to www.wireshark.org (2606:4700:20::6819:da15) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* failed setting TLS 1.3 cipher suite: (nil)
curl: (59) failed setting TLS 1.3 cipher suite: (nil)

• Look for expressions 'CURLOPT_SSL_CIPHER_LIST' and 'CURLOPT_TLS13_CIPHERS' – respectively linked to command options --ciphers and --tls13-ciphers – possibly using a command such as 'grep -rnw '/path/to/somewhere/' -e 'pattern''. Along with existing options, --exclude, --include, --exclude-dir flags may be used. Involved expressions cannot be found from Fedora system, on which installation locations are as follow:

$ rpm -ql curl
/usr/bin/curl
/usr/lib/.build-id
/usr/lib/.build-id/19
/usr/lib/.build-id/19/9f4344e87efd0c4c45554fee6c125df7296435
/usr/share/doc/curl
/usr/share/doc/curl/BUGS
/usr/share/doc/curl/CHANGES
/usr/share/doc/curl/FAQ
/usr/share/doc/curl/FEATURES
/usr/share/doc/curl/MANUAL
/usr/share/doc/curl/README
/usr/share/doc/curl/RESOURCES
/usr/share/doc/curl/TODO
/usr/share/doc/curl/TheArtOfHttpScripting
/usr/share/man/man1/curl.1.gz
/usr/share/zsh/site-functions
/usr/share/zsh/site-functions/_curl

I expected the following

• Command to succeed as curl -vOLX POST https://www.wireshark.org/download/docs/wsdg_html.zip does., since server in that case picks up TLSv1.3 / TLS_AES_256_GCM_SHA384 to be used in SSL connection.
• Expressions to be found from the system resources.

curl/libcurl version

curl 7.61.1 (x86_64-redhat-linux-gnu) libcurl/7.61.1 OpenSSL/1.1.1 zlib/1.2.11 brotli/1.0.5 libidn2/2.0.5 libpsl/0.20.2 (+libidn2/2.0.5) libssh/0.8.3/openssl/zlib nghttp2/1.34.0

operating system

Fedora 29

additional information

Following command downloaded the file as intended; yet its output seems to contain an amount the following related expressions that might be non-relevant:

* TLSv1.3 (IN), TLS app data, [no content] (0):
{ [1 bytes data]

$ curl -vOLX POST https://www.wireshark.org/download/docs/wsdg_html.zip
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 2606:4700:20::6819:db15...
* TCP_NODELAY set
* Connected to www.wireshark.org (2606:4700:20::6819:db15) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, [no content] (0):
{ [1 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [15 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [3723 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [78 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: OU=Domain Control Validated; OU=PositiveSSL Multi-Domain; CN=ssl380445.cloudflaressl.com
*  start date: Aug 27 00:00:00 2018 GMT
*  expire date: Mar  5 23:59:59 2019 GMT
*  subjectAltName: host "www.wireshark.org" matched cert's "*.wireshark.org"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO ECC Domain Validation Secure Server CA 2
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* TLSv1.3 (OUT), TLS app data, [no content] (0):
} [1 bytes data]
* TLSv1.3 (OUT), TLS app data, [no content] (0):
} [1 bytes data]
* TLSv1.3 (OUT), TLS app data, [no content] (0):
} [1 bytes data]
* Using Stream ID: 1 (easy handle 0x5575da1bf530)
} [5 bytes data]
* TLSv1.3 (OUT), TLS app data, [no content] (0):
} [1 bytes data]
> POST /download/docs/wsdg_html.zip HTTP/2
> Host: www.wireshark.org
> User-Agent: curl/7.61.1
> Accept: */*
> 
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, [no content] (0):
{ [1 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [230 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [230 bytes data]
* TLSv1.3 (IN), TLS app data, [no content] (0):
{ [1 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
} [5 bytes data]
* TLSv1.3 (OUT), TLS app data, [no content] (0):
} [1 bytes data]
* TLSv1.3 (IN), TLS app data, [no content] (0):
{ [1 bytes data]
< HTTP/2 200 
< date: Fri, 26 Oct 2018 08:14:00 GMT
< content-type: application/zip
< content-length: 191373
< set-cookie: __cfduid=dbb187391aed40fbf00894202a1bef9871540541639; expires=Sat, 26-Oct-19 08:13:59 GMT; path=/; domain=.wireshark.org; HttpOnly
< x-frame-options: SAMEORIGIN
< strict-transport-security: max-age=31536000; includeSubDomains; preload
< x-slogan: If it can shock or blind you it's layer 1.
< last-modified: Fri, 26 Oct 2018 07:10:04 GMT
< etag: "2eb8d-5791c68971e64"
< accept-ranges: bytes
< x-slogan: Go deep.
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< server: cloudflare
< cf-ray: 46fb7781a940442d-BRU
< 
{ [949 bytes data]

(then 17 times following between ’ ’)

’* TLSv1.3 (IN), TLS app data, [no content] (0):
{ [1 bytes data]’

 12  186k   12 24204    0     0  32532      0  0:00:05 --:--:--  0:00:05 32532* TLSv1.3 (IN), TLS app data, [no content] (0):
{ [1 bytes data]

(then 56 times following between ’ ’)

’* TLSv1.3 (IN), TLS app data, [no content] (0):
{ [1 bytes data]’

100  186k  100  186k    0     0   195k      0 --:--:-- --:--:-- --:--:--  195k
* Connection #0 to host www.wireshark.org left intact

[bagder]

Try --tls13-ciphers TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384 instead. Works for me.

[Ricky-Tigg]

Applying that unofficial syntax to TLS 1.3 cipher suites, produced an output expected with official syntax.

[bagder]

"unofficial" ? That's the cipher names OpenSSL supports. We don't do any translations in between. If you have problem with the names I would suggest you take that discussion with the OpenSSL team.