You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Ran curl with curl --curves X25519:P-256:P-384:P-521 ...
I expected the following
Expected the correct curves to be set in the TLS client hello message. However, the curves are not set. This is from Wireshark:
Extension: supported_groups (len=8)
Type: supported_groups (10)
Length: 8
Supported Groups List Length: 6
Supported Groups (3 groups)
Supported Group: x25519 (0x001d)
Supported Group: secp256r1 (0x0017)
Supported Group: secp384r1 (0x0018)
(Notice that secp521r1 is missing).
The reason is this code in lib/vtls/openssl.c:
#if ((OPENSSL_VERSION_NUMBER >= 0x10101000L) && \
!defined(LIBRESSL_VERSION_NUMBER) && \
!defined(OPENSSL_IS_BORINGSSL))
#defineHAVE_SSL_CTX_SET_CIPHERSUITES#defineHAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH/* SET_EC_CURVES is available under the same preconditions: see * https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set1_groups.html */#defineHAVE_SSL_CTX_SET_EC_CURVES#endif
However, BoringSSL does supply the SSL_CTX_set1_curves_list() function, here's the documentation. It was added in this commit.
The fix is simple and I have a patch already. I was wondering whether there is a specific reason it was disabled with BoringSSL.
The CURLOPT_SSL_EC_CURVES option (used by the '--curves' flag)
in libcurl was ignored when compiling with BoringSSL because
HAVE_SSL_CTX_SET_EC_CURVES was explicitly disabled if BoringSSL was
detected. However, this feature is supported in BoringSSL since
5fd1807d. This commit enables it, and also reduces the required minimal
OpenSSL version to 1.0.2 as per OpenSSL's official documentation.
Fixescurl#8553.
I did this
curl --curves X25519:P-256:P-384:P-521 ...
I expected the following
Expected the correct curves to be set in the TLS client hello message. However, the curves are not set. This is from Wireshark:
(Notice that
secp521r1
is missing).The reason is this code in
lib/vtls/openssl.c
:However, BoringSSL does supply the
SSL_CTX_set1_curves_list()
function, here's the documentation. It was added in this commit.The fix is simple and I have a patch already. I was wondering whether there is a specific reason it was disabled with BoringSSL.
curl/libcurl version
operating system
Linux ThinkPad 5.10.0-1055-oem #58-Ubuntu SMP Thu Jan 6 20:44:40 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
The text was updated successfully, but these errors were encountered: