Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

curl --tlsv1.3 doesn't seem to use tls1.3 #4928

Closed
guidovbrakel opened this issue Feb 14, 2020 · 2 comments
Closed

curl --tlsv1.3 doesn't seem to use tls1.3 #4928

guidovbrakel opened this issue Feb 14, 2020 · 2 comments
Labels

Comments

@guidovbrakel
Copy link

@guidovbrakel guidovbrakel commented Feb 14, 2020

When running curl --tlsv1.3 it doesn't seem to use tls 1.3. It does make a connection, but the test fails. See below for a site which support tls 1.3 for sure and the test.

curl --tlsv1.3 https://www.vevida.com -v
* Rebuilt URL to: https://www.vevida.com/
*   Trying 77.94.249.204...
* TCP_NODELAY set
* Connected to www.vevida.com (77.94.249.204) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Client hello (1):
* TLSv1.3 (OUT), TLS Unknown, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: serialNumber=02079565; jurisdictionC=NL; businessCategory=Private Organization; C=NL; postalCode=9727 DL; ST=Groningen; L=Groningen; street=Rozenburglaan 3; O=Vevida B.V.; OU=Vevida; CN=vevida.com
*  start date: Jan 22 00:00:00 2020 GMT
*  expire date: Feb 20 23:59:59 2020 GMT
*  subjectAltName: host "www.vevida.com" matched cert's "www.vevida.com"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Extended Validation Secure Server CA
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* Using Stream ID: 1 (easy handle 0x558e89332580)
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
> GET / HTTP/2
> Host: www.vevida.com
> User-Agent: curl/7.58.0
> Accept: */*
>
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
< HTTP/2 301
< date: Fri, 14 Feb 2020 19:50:41 GMT
< server: Apache
< strict-transport-security: max-age=15768000
< content-security-policy: default-src data: https: 'unsafe-inline' 'unsafe-eval'; connect-src 'self' https: wss://*.chatlio.com wss://ws.pusherapp.com
< x-frame-options: SAMEORIGIN
< x-xss-protection: 1; mode=block
< x-content-type-options: nosniff
< referrer-policy: no-referrer-when-downgrade
< set-cookie: taal=nl; expires=Mon, 11-Feb-2030 19:50:41 GMT; Max-Age=315360000; path=/; domain=.vevida.com
< content-type: text/html; charset=UTF-8
< x-redirect-by: WordPress
< location: https://vevida.com/
< cache-control: max-age=604800
< expires: Fri, 21 Feb 2020 19:50:41 GMT
<
* Connection #0 to host www.vevida.com left intact

curl -V
curl 7.58.0 (x86_64-pc-linux-gnu) libcurl/7.58.0 OpenSSL/1.1.1 zlib/1.2.11 libidn2/2.0.4 libpsl/0.19.1 (+libidn2/2.0.4) nghttp2/1.30.0 librtmp/2.3
Release-Date: 2018-01-24
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL

@jay jay added the SSL/TLS label Feb 14, 2020
@jay

This comment has been minimized.

Copy link
Member

@jay jay commented Feb 14, 2020

It does make a connection, but the test fails. See below for a site which support tls 1.3 for sure and the test.

? Looks like TLS 1.3 to me. What is the test?

@bagder

This comment has been minimized.

Copy link
Member

@bagder bagder commented Feb 16, 2020

The output shows TLS 1.3 fine.

@bagder bagder closed this Feb 16, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.