Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tls-max requires tls arguments #3367

Closed
andreineculau opened this issue Dec 12, 2018 · 2 comments

Comments

Projects
None yet
3 participants
@andreineculau
Copy link

commented Dec 12, 2018

I did this

$ curl --tls-max 1.0 https://sprint.tobiipro.com

and then curl printed

*   Trying 52.84.213.2...
* TCP_NODELAY set
* Connected to sprint.tobiipro.com (52.84.213.2) port 443 (#0)
* ALPN, offering http/1.1
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`
...

I expected the following

I expected the connection to fail due on the SSL handshake actually, because that server does not support TLS v1.0 as shown below

$ nmap -p 443 --script ssl-enum-ciphers sprint.tobiipro.com
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-12 10:57 CET
Nmap scan report for sprint.tobiipro.com (52.84.213.2)
Host is up (0.0031s latency).
Other addresses for sprint.tobiipro.com (not scanned): 52.84.213.70 52.84.213.201 52.84.213.162

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   TLSv1.1:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 17.70 seconds

But it seems like curl --tls-max 1.0 --tlsv1.0 https://sprint.tobiipro.com works, but it is not clear from the docs that --tls-max requires a --tlsv* argument as well.

Is this intentional? Because I see #2572 fixing the situation, so maybe this is a regression actually.

curl/libcurl version

curl 7.62.0 (x86_64-apple-darwin18.0.0) libcurl/7.62.0 SecureTransport zlib/1.2.11
Release-Date: 2018-10-31
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile NTLM NTLM_WB SSL libz UnixSockets

operating system

OSX Mojave


cc @tobiiasl

@tobiiasl

This comment has been minimized.

Copy link

commented Dec 12, 2018

Also note that the help text for --tls-max is confusing. It does not describe a "max" behaviour and explicitly mentions TLSv1.0:
--tls-max <VERSION> Use TLSv1.0 or greater

@bagder bagder added the SSL/TLS label Dec 12, 2018

@bagder

This comment has been minimized.

Copy link
Member

commented Dec 12, 2018

#2572 was about OpenSSL while this bug is using the SecureTransport backend. I can confirm it happens to me too using the latest code.

bagder added a commit that referenced this issue Dec 12, 2018

docs: fix the --tls-max description
Reported-by: Tobias Lindgren
Pointed out in #3367

bagder added a commit that referenced this issue Dec 13, 2018

docs: fix the --tls-max description
Reported-by: Tobias Lindgren
Pointed out in #3367

Closes #3368

bagder added a commit that referenced this issue Dec 13, 2018

darwinssl: accept setting max-tls with default min-tls
Reported-by: Andrei Neculau
Fixes #3367

bagder added a commit that referenced this issue Dec 13, 2018

darwinssl: accept setting max-tls with default min-tls
Reported-by: Andrei Neculau
Fixes #3367
Closes #3373

@bagder bagder closed this in 4531b29 Dec 14, 2018

@lock lock bot locked as resolved and limited conversation to collaborators Mar 14, 2019

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.