force PHP-Curl to use TLS 1.3

Question

Hello i want use the FineTS HBCI Api of the Sparkasse Bautzen, they send me a list of Ciphers who are not supported anymore.

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 

I try now to setup my php7.3 curl to using tls1.3 but fail on this, im using openssl 1.1.1d Im using https://github.com/nemiah/phpFinTS

  $this->curlHandle = curl_init();
        curl_setopt($this->curlHandle, CURLOPT_SSL_CIPHER_LIST, 'TLSv1');
        curl_setopt($this->curlHandle, CURLOPT_SSL_VERIFYPEER, true);
        curl_setopt($this->curlHandle, CURLOPT_SSL_VERIFYHOST, 2);
        curl_setopt($this->curlHandle, CURLOPT_USERAGENT, "FHP-lib");
        curl_setopt($this->curlHandle, CURLOPT_HEADER,  1);    
        curl_setopt($this->curlHandle, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($this->curlHandle, CURLOPT_URL, $this->host);
        curl_setopt($this->curlHandle, CURLOPT_CONNECTTIMEOUT, $this->timeoutConnect);
        curl_setopt($this->curlHandle, CURLOPT_CUSTOMREQUEST, 'POST');
        curl_setopt($this->curlHandle, CURLOPT_ENCODING, '');
        curl_setopt($this->curlHandle, CURLOPT_VERBOSE, '1');
        curl_setopt($this->curlHandle, CURLOPT_TLS13_CIPHERS, 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256');
        curl_setopt($this->curlHandle, CURLOPT_TIMEOUT, $this->timeResponse);
        curl_setopt($this->curlHandle, CURLOPT_HTTPHEADER, array("cache-control: no-cache", 'Content-Type: text/plain'));

my verbose output:

* Connected to banking-sn5.s-fints-pt-sn.de (62.181.154.164) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: TLSv1
* TLS 1.3 cipher selection: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-SHA
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=DE; ST=Hessen; L=Frankfurt; O=Finanz Informatik GmbH & Co. KG; OU=Finanz Informatik GmbH & Co. KG; CN=banking-sn5.s-fints-pt-sn.de
*  start date: Jan 29 00:00:00 2018 GMT
*  expire date: Apr 29 12:00:00 2020 GMT
*  subjectAltName: host "banking-sn5.s-fints-pt-sn.de" matched cert's "banking-sn5.s-fints-pt-sn.de"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
*  SSL certificate verify ok.
> POST / HTTP/1.1
Host: banking-sn5.s-fints-pt-sn.de
User-Agent: FHP-lib
Accept: */*
Accept-Encoding: deflate, gzip
cache-control: no-cache
Content-Type: text/plain
Content-Length: 540

* upload completely sent off: 540 out of 540 bytes
* HTTP 1.0, assume close after body
< HTTP/1.0 403 Forbidden
< Server: BigIP
< Connection: close
< Content-Length: 28
<
* Closing connection 0
HTTP/1.0 403 Forbidden
Server: BigIP
Connection: close
Content-Length: 28

Answer 1

First of all: They sent you a list of ciphers they don't support anymore, not a list of protocols. So you can still use TLSv1.2 as protocol. Basically they threw away the RSA ciphers.

To fix your probem:

Use:

curl_setopt($this->curlHandle, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
// CURL_SSLVERSION_TLSv1_2 means minimum TLS v1.2 but also 1.3 is allowed
// CURL_SSLVERSION_TLSv1_3 would mean minimum TLS v1.3

I also suggest to remove:

curl_setopt($this->curlHandle, CURLOPT_TLS13_CIPHERS, 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256');
// !!! here you force the Ciphers they forbid, so nothing is left to connect !!!
curl_setopt($this->curlHandle, CURLOPT_SSL_CIPHER_LIST, 'TLSv1');
// let openssl decide

Don't set a list of allowed ciphers at all, I would say.

Why: because if you have a trustworthy OpenSSL Vendor for your OpenSSL 1.1.1d the defaults should be useful. Its dangerous to force specific ciphers here, let the guys from OpenSSL decide here. So if you update Your PHP/OpenSSL you get things fixed without the need to change code, especially if you don't understand the details of TLS.