3

A server I need to communicate with only allows TLS1.3 traffic.

I have thus updated the version of OpenSSL bundled with Amazon Linux 2 to OpenSSL 1.1.1c. Following this guide

I am now able to use TLS 1.3 using OpenSSL e.g. openssl s_client -connect google.com:443 -tls1_3.

I need other command line tools such as cURL and Git to use this updated version of OpenSSL so they can communicate to the server using TLS 1.3 too. When I try to use cURL following the update I get the following

$ curl --tlsv1.3 "https://google.com"
curl: (4) OpenSSL was built without TLS 1.3 support

What is the best method of getting other tools such as cURL and Git to use the updated OpenSSL?

Anon957
  • 131
  • 3
  • 1
    Please see this https://stackoverflow.com/a/65986968 and this https://github.com/git/git/commit/d81b651f56060038a1547f4beb949122533a8165 – Alex Aug 22 '21 at 14:01
  • 2
    Don't use Amazon Linux (2 or any other number). Use a stable, known quantity Linux distribution which already supports TLS 1.3 such as CentOS 8 or RHEL 8. – Michael Hampton Aug 22 '21 at 16:53

1 Answers1

1

I realize this is 4 months old, but to provide an answer to others who may be seeking the same solution:

You'll need to build a new version of curl that will support the new openssl version. I had to do the same for curl and wget. Bearing in mind that this is not the same version of curl that is used by PHP on Amazon Linux 2, so you can't expect that PHP apps like Wordpress using WP-Cron to be able to support TLSv1.3. Be aware that the example below was based on my needs, your versions and configuration options may vary, in addition to dependencies you may need to install:

wget https://curl.haxx.se/download/curl-7.80.0.tar.gz
gunzip -c curl-7.80.0.tar.gz | tar xvf -
cd curl-7.80.0
./configure --with-ssl --with-nghttp2 --with-ngtcp2 --with-{libssh,libssh2}
make
sudo make install

I believe a reboot is required to replace the existing curl/wget

TJ Downes
  • 111
  • 1