Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tls-max requires tls arguments #3367

Closed
andreineculau opened this issue Dec 12, 2018 · 2 comments
Closed

tls-max requires tls arguments #3367

andreineculau opened this issue Dec 12, 2018 · 2 comments
Labels
TLS

Comments

@andreineculau
Copy link

I did this

$ curl --tls-max 1.0 https://sprint.tobiipro.com

and then curl printed

*   Trying 52.84.213.2...
* TCP_NODELAY set
* Connected to sprint.tobiipro.com (52.84.213.2) port 443 (#0)
* ALPN, offering http/1.1
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`
...

I expected the following

I expected the connection to fail due on the SSL handshake actually, because that server does not support TLS v1.0 as shown below

$ nmap -p 443 --script ssl-enum-ciphers sprint.tobiipro.com
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-12 10:57 CET
Nmap scan report for sprint.tobiipro.com (52.84.213.2)
Host is up (0.0031s latency).
Other addresses for sprint.tobiipro.com (not scanned): 52.84.213.70 52.84.213.201 52.84.213.162

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   TLSv1.1:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 17.70 seconds

But it seems like curl --tls-max 1.0 --tlsv1.0 https://sprint.tobiipro.com works, but it is not clear from the docs that --tls-max requires a --tlsv* argument as well.

Is this intentional? Because I see #2572 fixing the situation, so maybe this is a regression actually.

curl/libcurl version

curl 7.62.0 (x86_64-apple-darwin18.0.0) libcurl/7.62.0 SecureTransport zlib/1.2.11
Release-Date: 2018-10-31
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile NTLM NTLM_WB SSL libz UnixSockets

operating system

OSX Mojave

cc @tobiiasl
@tobiiasl
Copy link

Also note that the help text for --tls-max is confusing. It does not describe a "max" behaviour and explicitly mentions TLSv1.0:
--tls-max <VERSION> Use TLSv1.0 or greater

@bagder bagder added the TLS label Dec 12, 2018
@bagder
Copy link
Member

bagder commented Dec 12, 2018
edited

#2572 was about OpenSSL while this bug is using the SecureTransport backend. I can confirm it happens to me too using the latest code.

bagder added a commit that referenced this issue Dec 12, 2018
@bagder
docs: fix the --tls-max description
b8ee3e5 
Reported-by: Tobias Lindgren
Pointed out in #3367
@bagder bagder mentioned this issue Dec 12, 2018
Closed
bagder added a commit that referenced this issue Dec 13, 2018
@bagder
docs: fix the --tls-max description
fdc5563 
Reported-by: Tobias Lindgren
Pointed out in #3367

Closes #3368
bagder added a commit that referenced this issue Dec 13, 2018
@bagder
darwinssl: accept setting max-tls with default min-tls
9d243be 
Reported-by: Andrei Neculau
Fixes #3367
@bagder bagder mentioned this issue Dec 13, 2018
Closed
bagder added a commit that referenced this issue Dec 13, 2018
@bagder
darwinssl: accept setting max-tls with default min-tls
47262ec 
Reported-by: Andrei Neculau
Fixes #3367
Closes #3373
@bagder bagder closed this as completed in 4531b29 Dec 14, 2018
@lock lock bot locked as resolved and limited conversation to collaborators Mar 14, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
TLS
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bagder @andreineculau @tobiiasl