Skip to content

Clarify setting TLS 1.3 ciphers using different backends #3938

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jay opened this issue May 24, 2019 · 3 comments
Closed

Clarify setting TLS 1.3 ciphers using different backends #3938

jay opened this issue May 24, 2019 · 3 comments
Labels
documentation TLS

Comments

@jay
Copy link
Member

jay commented May 24, 2019

I did this

#2607 added CURLOPT_TLS13_CIPHERS and --tls13-ciphers. They're documented as setting TLS 1.3 cipher suites, though the lib option shows in AVAILABILITY that "OpenSSL >= 1.1.1" and the option only works when SSLSUPP_TLS13_CIPHERSUITES which is only enabled for OpenSSL.

I expected the following

I find this confusing. I figured based on the docs and SSL Ciphers we had a separate option to set TLS 1.3 ciphers only to discover that that only applies only to OpenSSL, and other backends use regular --ciphers?

/cc @kdudka @tomato42
@bagder
Copy link
Member

bagder commented May 24, 2019

That option is only used for OpenSSL yes, we should clarify that in the tls13-ciphers.d file as well. I'm not even sure how libressl or boringssl do it. The fact that OpenSSL needs/uses a separate option is unfortunate but I don't think we can do anyhing about it...

bagder added a commit that referenced this issue May 27, 2019
@bagder
tls13-ciphers.d: mention it is only for OpenSSL >= 1.1.1 [ci skip]
82be5a8 
Reported-by: Jay Satiro
Fixes #3938
@bagder bagder mentioned this issue May 27, 2019
Closed
@kdudka
Copy link
Contributor

kdudka commented May 27, 2019

@jay I cannot speak for other TLS backends in general. The NSS backend in libcurl does not support TLS 1.3 cipher-suites yet. It is going to be introduced with PR #3916. I do not know whether there is an easy way to implement CURLOPT_TLS13_CIPHERS in a compatible way for the NSS backend.

@jay
Copy link
Member Author

jay commented May 27, 2019

Right. We are working in #3946 to clarify it's currently only for OpenSSL and that for other SSL backends try the regular respective cipher option. Possibly for other SSL backends if they support TLS 1.3 ciphers the same as any other cipher we could just concatenate whatever the user set in the 1.3 list to the regular one.

@bagder bagder closed this as completed in 7e590b3 Jun 2, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Aug 31, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
documentation TLS
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

tls13-ciphers.d: mention it is only for OpenSSL >= 1.1.1 [ci skip] curl/curl
3 participants
@bagder @kdudka @jay