Re: How to not send TLS 1.3 Ciphers?

On Thu, Apr 16, 2020 at 12:36:24AM +0200, Mark Windshield via curl-library wrote:
> I'm trying to not send TLS 1.3 Ciphers when making a request through
> libcurl (but have the option to set them), I tried compiling openssl with
> 'define TLS_DEFAULT_CIPHERSUITES " " ' instead of it containing the three
> "default" ciphers, but when replacing openssl and using liubcurl with that
> compiled version of openssl it'd always throw a SSL Connect error unless I
> set at least one TLS1.3 Cipher via. CURLOPT_TLS13_CIPHERS.
> What worked was compiling openssl with "-no-tls1_3", but then I was
> obviously not able to set TLS1.3 Ciphers at all anymore.
>
> I didn't find anything on the matter so I was wondering if and then how it
> is possible to not send any TLS13_Ciphers, while still being able to set
> them via CURLTOP_TLS13_Cipher when needed?

OpenSSL uses different ciphersuite identifiers for TLS 1.3 and TLS < 1.3.
Although they are the same from algorithm point of view. That means TLS 1.3
can only be used with TLS 1.3 cipher identifiers and those identifiers cannot
be used with older TLS protocols.

See <https://www.openssl.org/blog/blog/2017/05/04/tlsv1.3/>:

    There are new ciphersuites that only work in TLSv1.3. The old ciphersuites
    cannot be used for TLSv1.3 connections.

    The new ciphersuites are defined differently and do not specify the
    certificate type (e.g. RSA, DSA, ECDSA) or the key exchange mechanism
    (e.g. DHE or ECHDE). This has implications for ciphersuite configuration.

-- Petr

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html