-
-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cURL 7.77 TLS priority string causes TLS downgrade at bitbucket.org #7277
Comments
I can reproduce with GnuTLS/3.7.1 using current curl from git master. failsDefault build, uses this prioritylist: NORMAL:-ARCFOUR-128:-CTYPE-ALL:+CTYPE-X509:-VERS-SSL3.0:-VERS-TLS-ALL:+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2:+VERS-TLS1.3
If I remove the Using NORMAL:-ARCFOUR-128:-CTYPE-ALL:+CTYPE-X509:-VERS-SSL3.0:-VERS-TLS-ALL:+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2 Then curl/GnuTLS will negotiate TLS1.2 / ECDHE_ECDSA_AES_128_GCM_SHA256. If I instead use curl/openssl against this site it negotiates TLSv1.3 / TLS_AES_128_GCM_SHA256 works
This one negotiates and uses TLS 1.3 just fine with the default cipher selection. |
@nmav, do you have any clues on this for us? |
Thanks for confirming! Note that 7.74.0 used a simpler priority string that does not exhibit this problem: For the record I also notified the |
@civodul does that simpler config make it negotiate 1.3? |
Order matters, you are prioritizing the older protocols over TLS1.3. |
Ah, then the order must be at fault. If we use the correct order, we get
However, isn't this equivalent to nothing (empty string), @nmav, at least until TLS 1.4 comes into existence? In other word, is there value in being explicit? |
I figure if we're fine with 1.0 to 1.3, then using |
Reported-by: civodul on github Assisted-by: Nikos Mavrogiannopoulos Fixes #7277
I confirm that this patch fixes the problem. Thanks @bagder for the quick response! |
I did this
I expected the following
Retrieving the web page flawlessly. :-)
curl/libcurl version
operating system
This is on GNU/Linux, x86_64, with GNU Guix.
further info
As noted in the original bug report, the problem can be reproduced when using the same priority string as cURL with
gnutls-cli
:The priority string looks legit to me though. Are you experiencing this as well?
Thoughts?
The text was updated successfully, but these errors were encountered: