Menu
▾
▴
#1487 HTTP/2 should use stricter TLS ciphers as mandated (with OpenSSL)
closed-fixed
5
2015-03-12
2015-02-25
No
Using curl 7.41.0 and nghttp2/0.7.5-DEV.
Command: "curl --http2 -v https://http2.golang.org"
This ends with this output (when built with debug):
* STATE: DO => DO_DONE handle 0x1182218; line 1314 (connection #0) * STATE: DO_DONE => WAITPERFORM handle 0x1182218; line 1441 (connection #0) * STATE: WAITPERFORM => PERFORM handle 0x1182218; line 1454 (connection #0) * http2_recv: 16384 bytes buffer * (0), Unknown (23): * nread=48 * nghttp2_session_mem_recv() returns 48 * before_frame_send() was called * (0), Unknown (23): * on_frame_send() was called * http2_recv: 16384 bytes buffer * (0), Unknown (21): * TLSv1.2, TLS alert, Client hello (1): * nread=0 * EOF * STATE: PERFORM => DONE handle 0x1182218; line 1626 (connection #0) * Connection #0 to host http2.golang.org left intact * Expire cleared
The 'nread=0' and EOF lines are clues that it was shutdown at HTTP/2 level.
It probably happens because curl negotiated a cipher that is not AEAD: "SSL connection using TLSv1.2 / ECDHE-RSA-AES256-SHA" (and the server is probably very strictly abiding to the protocol spec and refuses curl to continue)
1) This should generate a nicer message
2) This should return an error code and not CURLE_OK with no output
3) We should make sure to use AEAD ciphers when using HTTP/2 (and probably otherwise too).
commit bc3a44aebc makes it return CURLE_RECV_ERROR for this case, with an "Unexpected EOF" message.
Adding "--ciphers TLSv1.2" makes it work.
We should make HTTP2 connections use that...
commit 0d1060f21 makes the ciphers list in the openssl backend get used sorted by strength, and this makes curl pick better ciphers and it works fine on golang.org. Case closed