#1487 HTTP/2 should use stricter TLS ciphers as mandated (with OpenSSL)

closed-fixed
5
2015-03-12
2015-02-25
No

Using curl 7.41.0 and nghttp2/0.7.5-DEV.

Command: "curl --http2 -v https://http2.golang.org"

This ends with this output (when built with debug):

* STATE: DO => DO_DONE handle 0x1182218; line 1314 (connection #0) 
* STATE: DO_DONE => WAITPERFORM handle 0x1182218; line 1441 (connection #0) 
* STATE: WAITPERFORM => PERFORM handle 0x1182218; line 1454 (connection #0) 
* http2_recv: 16384 bytes buffer
* (0), Unknown (23):
* nread=48
* nghttp2_session_mem_recv() returns 48
* before_frame_send() was called
* (0), Unknown (23):
* on_frame_send() was called
* http2_recv: 16384 bytes buffer
* (0), Unknown (21):
* TLSv1.2, TLS alert, Client hello (1):
* nread=0
* EOF
* STATE: PERFORM => DONE handle 0x1182218; line 1626 (connection #0) 
* Connection #0 to host http2.golang.org left intact
* Expire cleared

The 'nread=0' and EOF lines are clues that it was shutdown at HTTP/2 level.

It probably happens because curl negotiated a cipher that is not AEAD: "SSL connection using TLSv1.2 / ECDHE-RSA-AES256-SHA" (and the server is probably very strictly abiding to the protocol spec and refuses curl to continue)

1) This should generate a nicer message

2) This should return an error code and not CURLE_OK with no output

3) We should make sure to use AEAD ciphers when using HTTP/2 (and probably otherwise too).

Related

Bugs: #1472

Discussion

  • Daniel Stenberg

    Daniel Stenberg - 2015-02-25

    commit bc3a44aebc makes it return CURLE_RECV_ERROR for this case, with an "Unexpected EOF" message.

     
  • Daniel Stenberg

    Daniel Stenberg - 2015-02-25

    Adding "--ciphers TLSv1.2" makes it work.

    We should make HTTP2 connections use that...

     
  • Daniel Stenberg

    Daniel Stenberg - 2015-02-25
    • summary: HTTP/2 with golang.org stops silently --> HTTP/2 should use stricter TLS ciphers as mandated
     
  • Daniel Stenberg

    Daniel Stenberg - 2015-03-12
    • labels: http2, SSL/TLS --> http2, SSL/TLS, openssl
    • summary: HTTP/2 should use stricter TLS ciphers as mandated --> HTTP/2 should use stricter TLS ciphers as mandated (with OpenSSL)
    • status: open-confirmed --> closed-fixed
     
  • Daniel Stenberg

    Daniel Stenberg - 2015-03-12

    commit 0d1060f21 makes the ciphers list in the openssl backend get used sorted by strength, and this makes curl pick better ciphers and it works fine on golang.org. Case closed

     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks