-
-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WinSSL - No TLS handshake when specifying ciphers (encryption algorithms) #3389
Comments
I have been trying to verify this. Yes, I get the same issue w/o knowing what the problem is But, did you note this in
The Besides, shouldn't the |
I don't think the array length plays a role here. In
we set the algCount so the Schannel knows exactly the number of algorithms. The problem seems unclear to me. Some options like Is there a chance that we can only set algorithms that are enabled in the windows registry? |
I think this is schannel's fault that it does not document which individual algorithm ids it supports for TLS other than to say "the algorithm identifiers CALG_AES, CALG_AES_128, and CALG_AES_256are not supported." It is more groups that bundle them like CALG_RSA_SIGN or CALG_DH_EPHEM should work. CALG_ECDH is "is supported only through Cryptography API: Next Generation" so maybe we don't support that? |
I agree. Shall we add something in the documentation to indicate to people how to use this feature? |
I think that's a good idea. I'll write up a script to go through each id and see which ones work. |
Script is at https://gist.github.com/jay/51f8511e411fd6bf9ea0d531f30f27d6 The script tests each CALG and looks for common errors SEC_E_ALGORITHM_MISMATCH and SEC_E_ILLEGAL_MESSAGE. The illegal message results differ for example test.com CALG_DH_EPHEM illegal but example.com success. I'm not sure if it's right for us to specify which algorithms work when different hosts return different results. The algorithm mismatches probably are going to remain fairly constant because that error seems to be returned acquiring the handle, but who's to say a different version of Windows won't behave differently (I did this test in Windows 7).
|
Thanks @jay. I agree, Windows is dictating the rules for Schannel. What I found strange though is that with some algorithms don't even attempt to connect. For example CALG_MD4 doesn't even send a client hello message. For the SEC_E_ALGORITHM_MISMATCH error it's clear that the server and the client cannot agree. I'll make a PR with a few extra words in the documentation to help users navigate around these issues. I am posting results for the same test on Windows 8.1 and 10 and 2012 for reference.
Windows 10:
Windows 2012 r2:
|
(let me channel in relevant comments I got over twitter) Eric Lawrence (@ericlaw1979) commented:
Nasko Oskov (@naskooskov) commented:
|
Thanks for that. I don't think we should be responsible for disabled/unexpected ciphers that were specified to curl by the user. In other words I think what we are currently doing is correct and the burden should be on the user. I don't think we should be pre-emptive about it and read the registry. Perhaps we should put something in the CIPHERS doc that explains it though. |
I created the #4106 MR to add some extra information in the docs regarding to this. |
When specifying encryption algorithms on build with Schannel, the call to AcquireCredentialsHandle fails and no client hello is sent at all. I have tried various combinations of
CALG_
options and they all seems to fail with the same error.curl/lib/vtls/schannel.c
Line 666 in f097669
I did this
curl/libcurl version
curl 7.63.0-DEV (i386-pc-win32) libcurl/7.63.0-DEV WinSSL
Release-Date: [unreleased]
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS Debug IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL
The same happens for older versions. I don't think it's a regression thing.
operating system
Windows 7, 8, 10 ans server 2012. I haven't tried others.
The text was updated successfully, but these errors were encountered: