Menu

#1487 HTTP/2 should use stricter TLS ciphers as mandated (with OpenSSL)

closed-fixed
5
2015-03-12
2015-02-25
No

Using curl 7.41.0 and nghttp2/0.7.5-DEV.

Command: "curl --http2 -v https://http2.golang.org"

This ends with this output (when built with debug):

* STATE: DO => DO_DONE handle 0x1182218; line 1314 (connection #0) 
* STATE: DO_DONE => WAITPERFORM handle 0x1182218; line 1441 (connection #0) 
* STATE: WAITPERFORM => PERFORM handle 0x1182218; line 1454 (connection #0) 
* http2_recv: 16384 bytes buffer
* (0), Unknown (23):
* nread=48
* nghttp2_session_mem_recv() returns 48
* before_frame_send() was called
* (0), Unknown (23):
* on_frame_send() was called
* http2_recv: 16384 bytes buffer
* (0), Unknown (21):
* TLSv1.2, TLS alert, Client hello (1):
* nread=0
* EOF
* STATE: PERFORM => DONE handle 0x1182218; line 1626 (connection #0) 
* Connection #0 to host http2.golang.org left intact
* Expire cleared

The 'nread=0' and EOF lines are clues that it was shutdown at HTTP/2 level.

It probably happens because curl negotiated a cipher that is not AEAD: "SSL connection using TLSv1.2 / ECDHE-RSA-AES256-SHA" (and the server is probably very strictly abiding to the protocol spec and refuses curl to continue)

1) This should generate a nicer message

2) This should return an error code and not CURLE_OK with no output

3) We should make sure to use AEAD ciphers when using HTTP/2 (and probably otherwise too).

Related

Bugs: #1472

Discussion

  • Daniel Stenberg

    Daniel Stenberg - 2015-02-25

    commit bc3a44aebc makes it return CURLE_RECV_ERROR for this case, with an "Unexpected EOF" message.

     
  • Daniel Stenberg

    Daniel Stenberg - 2015-02-25

    Adding "--ciphers TLSv1.2" makes it work.

    We should make HTTP2 connections use that...

     
  • Daniel Stenberg

    Daniel Stenberg - 2015-02-25
    • summary: HTTP/2 with golang.org stops silently --> HTTP/2 should use stricter TLS ciphers as mandated
     
  • Daniel Stenberg

    Daniel Stenberg - 2015-03-12
    • labels: http2, SSL/TLS --> http2, SSL/TLS, openssl
    • summary: HTTP/2 should use stricter TLS ciphers as mandated --> HTTP/2 should use stricter TLS ciphers as mandated (with OpenSSL)
    • status: open-confirmed --> closed-fixed
     
  • Daniel Stenberg

    Daniel Stenberg - 2015-03-12

    commit 0d1060f21 makes the ciphers list in the openssl backend get used sorted by strength, and this makes curl pick better ciphers and it works fine on golang.org. Case closed