curl / Mailing Lists / curl-users / Single Mail

curl-users

Re: How to enforce a given TLS version with curl?

From: M K Saravanan <mksarav_at_gmail.com>
Date: Wed, 19 Dec 2018 00:47:19 +0800

Hi,

I even tried using --tls-max 1.2 option, but it is still taking
TLSv1.3 when connecting to a server which supports both TLSv1.2 and
TLSv1.3.

Example:

$ curl -v --tlsv1.2 --tls-max 1.2 --ciphers
'ECDHE-ECDSA-AES256-SHA384' https://www.cloudflare.com -o /dev/null
* Rebuilt URL to: https://www.cloudflare.com/
  % Total % Received % Xferd Average Speed Time Time Time Current
                                 Dload Upload Total Spent Left Speed
  0 0 0 0 0 0 0 0 --:--:-- --:--:--
--:--:-- 0* Trying 198.41.214.162...
* TCP_NODELAY set
* Connected to www.cloudflare.com (198.41.214.162) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ECDHE-ECDSA-AES256-SHA384
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
} [5 bytes data]
* (304) (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* (304) (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* (304) (IN), TLS Unknown, Certificate Status (22):
{ [1 bytes data]
* (304) (IN), TLS handshake, Unknown (8):
{ [15 bytes data]
* (304) (IN), TLS handshake, Certificate (11):
{ [2577 bytes data]
* (304) (IN), TLS handshake, CERT verify (15):
{ [78 bytes data]
* (304) (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* (304) (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* (304) (OUT), TLS Unknown, Certificate Status (22):
} [1 bytes data]
* (304) (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using unknown / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: businessCategory=Private Organization; jurisdictionC=US;
jurisdictionST=Delaware; serialNumber=4710875; C=US; ST=California;
L=San Francisco; O=Cloudflare, Inc.; CN=cloudflare.com
* start date: Oct 30 00:00:00 2018 GMT
* expire date: Nov 3 12:00:00 2020 GMT
* subjectAltName: host "www.cloudflare.com" matched cert's "www.cloudflare.com"
* issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert ECC
Extended Validation Server CA
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* (304) (OUT), TLS Unknown, Unknown (23):
} [1 bytes data]
* (304) (OUT), TLS Unknown, Unknown (23):
} [1 bytes data]
* (304) (OUT), TLS Unknown, Unknown (23):
} [1 bytes data]
* Using Stream ID: 1 (easy handle 0x560e5ed0c4b0)
} [5 bytes data]
* (304) (OUT), TLS Unknown, Unknown (23):
} [1 bytes data]
&gt; GET / HTTP/2
&gt; Host: www.cloudflare.com
&gt; User-Agent: curl/7.58.0
&gt; Accept: */*
&gt;
{ [5 bytes data]
* (304) (IN), TLS Unknown, Certificate Status (22):
{ [1 bytes data]
* (304) (IN), TLS handshake, Newsession Ticket (4):
{ [238 bytes data]
* (304) (IN), TLS handshake, Newsession Ticket (4):
{ [238 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
} [5 bytes data]
* (304) (OUT), TLS Unknown, Unknown (23):
} [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
&lt; HTTP/2 200
&lt; date: Tue, 18 Dec 2018 16:39:42 GMT
&lt; content-type: text/html; charset=utf-8
&lt; set-cookie: __cfduid=d2636373391ee39513542bc8ed664e5ba1545151182;
expires=Wed, 18-Dec-19 16:39:42 GMT; path=/; domain=.cloudflare.com;
HttpOnly
&lt; content-security-policy-report-only: default-src 'self';
script-src 'self' 'nonce-bc4bf5b7-c2c0-4699-9868-875d4a0d2ee7'
'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:; style-src
'self' 'unsafe-inline'; img-src 'self' data: https://*; media-src
'self' blob: https://videodelivery.net https://cloudflarestream.com;
object-src 'self' https://embed.cloudflarestream.com; connect-src
'self' https://videodelivery.net https://cloudflarestream.com
https://*.mktoresp.com https://www.google-analytics.com
https://stats.g.doubleclick.net https://licensing.bitmovin.com
https://*.is-cf.cloudflareresolve.com
https://*.is-doh.cloudflareresolve.com
https://*.is-dot.cloudflareresolve.com https://*.brokendnssec.net
https://stats.videodelivery.net https://s.adroll.com; frame-src 'self'
https://*.fls.doubleclick.net https://player.vimeo.com
https://www.youtube.com https://*.cloudfront.net
https://*.cloudflare.com https://*.marketo.com/; font-src 'self' data:
https://bid.g.doubleclick.net; report-uri
https://sentry.io/api/229513/security/?sentry_key=78606bb97fa04c0db6db5b68e5bfbf58&amp;sentry_environment=production
&lt; cache-control: public, max-age=14400
&lt; x-xss-protection: 1; mode=block
&lt; strict-transport-security: max-age=15780000; includeSubDomains
&lt; x-content-type-options: nosniff
&lt; x-frame-options: SAMEORIGIN
&lt; served-in-seconds: 0.206
&lt; cf-cache-status: HIT
&lt; expires: Tue, 18 Dec 2018 20:39:42 GMT
&lt; set-cookie: __cflb=1594113181; path=/; expires=Wed, 19-Dec-18
15:39:42 GMT; HttpOnly
&lt; expect-ct: max-age=604800,
report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
&lt; server: cloudflare
&lt; cf-ray: 48b3112c683dc379-SIN
&lt;
{ [53 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
* (304) (IN), TLS Unknown, Unknown (23):
{ [1 bytes data]
100 120k 0 120k 0 0 1569k 0 --:--:-- --:--:-- --:--:-- 1569k
* Connection #0 to host www.cloudflare.com left intact
$

any one knows how to enforce a given TLS version with curl?

with regards,
Saravanan
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2018-12-18