Mailing Lists

curl-tracker Archives

[curl:bugs] #1487 HTTP/2 should use stricter TLS ciphers as mandated (with OpenSSL)

From: Daniel Stenberg <bagder_at_users.sf.net>
Date: Thu, 12 Mar 2015 22:20:40 +0000

- **labels**: http2, SSL/TLS --> http2, SSL/TLS, openssl
- **summary**: HTTP/2 should use stricter TLS ciphers as mandated --> HTTP/2 should use stricter TLS ciphers as mandated (with OpenSSL)
- **status**: open-confirmed --> closed-fixed
- **Comment**:

commit 0d1060f21 makes the ciphers list in the openssl backend get used sorted by strength, and this makes curl pick better ciphers and it works fine on golang.org. Case closed

---
** [bugs:#1487] HTTP/2 should use stricter TLS ciphers as mandated (with OpenSSL)**
**Status:** closed-fixed
**Labels:** http2 SSL/TLS openssl 
**Created:** Wed Feb 25, 2015 12:33 PM UTC by Daniel Stenberg
**Last Updated:** Wed Feb 25, 2015 11:04 PM UTC
**Owner:** Daniel Stenberg
Using curl 7.41.0 and nghttp2/0.7.5-DEV.
Command: "curl --http2 -v https://http2.golang.org"
This ends with this output (when built with debug):
~~~~
* STATE: DO => DO_DONE handle 0x1182218; line 1314 (connection #0) 
* STATE: DO_DONE => WAITPERFORM handle 0x1182218; line 1441 (connection #0) 
* STATE: WAITPERFORM => PERFORM handle 0x1182218; line 1454 (connection #0) 
* http2_recv: 16384 bytes buffer
* (0), Unknown (23):
* nread=48
* nghttp2_session_mem_recv() returns 48
* before_frame_send() was called
* (0), Unknown (23):
* on_frame_send() was called
* http2_recv: 16384 bytes buffer
* (0), Unknown (21):
* TLSv1.2, TLS alert, Client hello (1):
* nread=0
* EOF
* STATE: PERFORM => DONE handle 0x1182218; line 1626 (connection #0) 
* Connection #0 to host http2.golang.org left intact
* Expire cleared
~~~~
The 'nread=0' and EOF lines are clues that it was shutdown at HTTP/2 level.
It probably happens because curl negotiated a cipher that is not AEAD: "SSL connection using TLSv1.2 / ECDHE-RSA-AES256-SHA" (and the server is probably very strictly abiding to the protocol spec and refuses curl to continue)
1) This should generate a nicer message
2) This should return an error code and not CURLE_OK with no output
3) We should make sure to use AEAD ciphers when using HTTP/2 (and probably otherwise too).
---
Sent from sourceforge.net because curl-tracker@cool.haxx.se is subscribed to https://sourceforge.net/p/curl/bugs/
To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/curl/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.

Received on 2015-03-12

This message: [ Message body ]
Next message: Steve Corriere: "[curl:bugs] #1494 Cookies Not Following Path Rules"
Previous message: Daniel Stenberg: "[curl:bugs] #1491 Host-Header should be sent first"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

These mail archives are generated by hypermail.