#2607 added CURLOPT_TLS13_CIPHERS and --tls13-ciphers. They're documented as setting TLS 1.3 cipher suites, though the lib option shows in AVAILABILITY that "OpenSSL >= 1.1.1" and the option only works when SSLSUPP_TLS13_CIPHERSUITES which is only enabled for OpenSSL.
I expected the following
I find this confusing. I figured based on the docs and SSL Ciphers we had a separate option to set TLS 1.3 ciphers only to discover that that only applies only to OpenSSL, and other backends use regular --ciphers?
That option is only used for OpenSSL yes, we should clarify that in the tls13-ciphers.d file as well. I'm not even sure how libressl or boringssl do it. The fact that OpenSSL needs/uses a separate option is unfortunate but I don't think we can do anyhing about it...
@jay I cannot speak for other TLS backends in general. The NSS backend in libcurl does not support TLS 1.3 cipher-suites yet. It is going to be introduced with PR #3916. I do not know whether there is an easy way to implement CURLOPT_TLS13_CIPHERS in a compatible way for the NSS backend.
Right. We are working in #3946 to clarify it's currently only for OpenSSL and that for other SSL backends try the regular respective cipher option. Possibly for other SSL backends if they support TLS 1.3 ciphers the same as any other cipher we could just concatenate whatever the user set in the 1.3 list to the regular one.