Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clarify setting TLS 1.3 ciphers using different backends #3938

Closed
jay opened this issue May 24, 2019 · 3 comments

Comments

Projects
None yet
3 participants
@jay
Copy link
Member

commented May 24, 2019

I did this

#2607 added CURLOPT_TLS13_CIPHERS and --tls13-ciphers. They're documented as setting TLS 1.3 cipher suites, though the lib option shows in AVAILABILITY that "OpenSSL >= 1.1.1" and the option only works when SSLSUPP_TLS13_CIPHERSUITES which is only enabled for OpenSSL.

I expected the following

I find this confusing. I figured based on the docs and SSL Ciphers we had a separate option to set TLS 1.3 ciphers only to discover that that only applies only to OpenSSL, and other backends use regular --ciphers?

/cc @kdudka @tomato42

@bagder

This comment has been minimized.

Copy link
Member

commented May 24, 2019

That option is only used for OpenSSL yes, we should clarify that in the tls13-ciphers.d file as well. I'm not even sure how libressl or boringssl do it. The fact that OpenSSL needs/uses a separate option is unfortunate but I don't think we can do anyhing about it...

bagder added a commit that referenced this issue May 27, 2019

bagder added a commit that referenced this issue May 27, 2019

@kdudka

This comment has been minimized.

Copy link
Collaborator

commented May 27, 2019

@jay I cannot speak for other TLS backends in general. The NSS backend in libcurl does not support TLS 1.3 cipher-suites yet. It is going to be introduced with PR #3916. I do not know whether there is an easy way to implement CURLOPT_TLS13_CIPHERS in a compatible way for the NSS backend.

@jay

This comment has been minimized.

Copy link
Member Author

commented May 27, 2019

Right. We are working in #3946 to clarify it's currently only for OpenSSL and that for other SSL backends try the regular respective cipher option. Possibly for other SSL backends if they support TLS 1.3 ciphers the same as any other cipher we could just concatenate whatever the user set in the 1.3 list to the regular one.

@bagder bagder closed this in 7e590b3 Jun 2, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.