- **summary**: HTTP/2 with golang.org stops silently --> HTTP/2 should use stricter TLS ciphers as mandated

---
** [bugs:#1487] HTTP/2 should use stricter TLS ciphers as mandated**
**Status:** open-confirmed
**Labels:** http2 SSL/TLS 
**Created:** Wed Feb 25, 2015 12:33 PM UTC by Daniel Stenberg
**Last Updated:** Wed Feb 25, 2015 01:17 PM UTC
**Owner:** Daniel Stenberg
Using curl 7.41.0 and nghttp2/0.7.5-DEV.
Command: "curl --http2 -v https://http2.golang.org"
This ends with this output (when built with debug):
~~~~
* STATE: DO => DO_DONE handle 0x1182218; line 1314 (connection #0) 
* STATE: DO_DONE => WAITPERFORM handle 0x1182218; line 1441 (connection #0) 
* STATE: WAITPERFORM => PERFORM handle 0x1182218; line 1454 (connection #0) 
* http2_recv: 16384 bytes buffer
* (0), Unknown (23):
* nread=48
* nghttp2_session_mem_recv() returns 48
* before_frame_send() was called
* (0), Unknown (23):
* on_frame_send() was called
* http2_recv: 16384 bytes buffer
* (0), Unknown (21):
* TLSv1.2, TLS alert, Client hello (1):
* nread=0
* EOF
* STATE: PERFORM => DONE handle 0x1182218; line 1626 (connection #0) 
* Connection #0 to host http2.golang.org left intact
* Expire cleared
~~~~
The 'nread=0' and EOF lines are clues that it was shutdown at HTTP/2 level.
It probably happens because curl negotiated a cipher that is not AEAD: "SSL connection using TLSv1.2 / ECDHE-RSA-AES256-SHA" (and the server is probably very strictly abiding to the protocol spec and refuses curl to continue)
1) This should generate a nicer message
2) This should return an error code and not CURLE_OK with no output
3) We should make sure to use AEAD ciphers when using HTTP/2 (and probably otherwise too).
---
Sent from sourceforge.net because curl-tracker@cool.haxx.se is subscribed to https://sourceforge.net/p/curl/bugs/
To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/curl/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.