Why is mutual auth working on openssl 1.1.0g but not openssl 1.1.1?

0

I'm making a HTTPS request using mutual authentication. Testing it with curl 7.58.0 using openssl 1.1.0g, it works fine. Upon upgrading to openssl 1.1.1 with the same curl version, the call stops working with an "inappropriate fallback" error.

Using wireshark, I gather the issue is likely related to openssl offering TLSv1.3 in version 1.1.1 but not in 1.1.0g. The server will only allow TLSv1.2. However, I am giving curl the "--tlsv1.2" option and openssl still seems to offer TLSv1.3 and TLSv1.2 for which the server is refusing TLSv1.3 without a fallback.

My question is whether this is a known change in behaviour between versions 1.1.0g and 1.1.1 and what can I do to force openssl to only use tlsv1.2 with curl?

Many thanks, Ian

PS: I consulted the many changelogs between 1.1.0g and 1.1.1 but I can't see the answer.

Ian

Posted 2019-07-10T08:33:55.383

Reputation: 9

Hi Ian, I think tls 1.3 is supported from the version 1.1.1 as far as I know. Check if there is a version for curl that support openssl 1.1.1. – None – 2019-07-10T08:36:41.543

Hi camp0, I think that's the problem - I'm trying to get it to not use tls 1.3. – Ian – 2019-07-10T09:02:52.733

looks like a programming question about libcurl or a bug report to libcurl, not information security. – Z.T. – 2019-07-10T10:15:12.120

Answers

0

Looks like it's a bug in curl, fixed after 7.58.

I think the correct option to avoid TLS 1.3 in this case was actually "--tls-max 1.2", but the bug seems to stand in any case. You can use both "--tlsv1.2" and "--tls-max 1.2" together.

Link to Daniel Stenberg stating those switches might not work as expected in that version:

Can confirm, after compiling latest curl, that it now works and I can explicitly use TLS 1.2 when my curl/openssl configuration supports 1.3.

Ian

Posted 2019-07-10T08:33:55.383

Reputation: 9

Asked: 2019-07-10T08:33:55.383

Viewed: 64 times

Active: 2019-07-31T07:32:03.060