Reputation: 53
How to supply custom ciphers to curl to emulate browsers
How do I supply custom ciphers to curl for an SSL negotiation? I have have a site that is granting/denying me access based on the ciphers supplied in the “Client Hello” during the SSL Handshake. Apparently, Chrome supplies a GREASE cipher (0x1A1A) in addition to 15 other ciphers. See https://cc.dcsec.uni-hannover.de/. It shows all the ciphers sent in the client hello along with their hexadecimal codes.
Currently, I’m supplying the 15 other ciphers using CURLOPT_SSL_CIPHER_LIST, but how do I supply the additional GREASE cipher? It doesn’t have a named cipher string, so I can’t supply it the usual way.
In the client hello, these cipher names are all ultimately converted to hexadecimal codes. How would I a supply custom cipher using this hex code? Can I just add 0x1a1a to CURLOPT_SSL_CIPHER_LIST?
Also, I’ve verified that I’m not being denied based on another part of the request (URL, headers, IP, cookies, SSL/TLS version, HTTP version, HTTP method, etc...) so it’s definitely the cipher list. Curl is so popular and has never failed me when emulating browsers, and surely there must be a way. Oh and my curl is using OpenSSL, not GnuTLS if that matters.
Upvotes: 3
Views: 1029
Answers (1)
Reputation: 10391
You can not simply add the GREASE cipher suite. As mentioned by previous comments, it's not supported by OpenSSL, which is the default SSL engine for curl on most systems.
To support the GREASE cipher suite, you have to compile with BoringSSL or other SSL libraries.
But I don't think it's the CIPHER_LIST alone that was considered to block your request. TLS fingerprinting has becoming more and more popular nowadays. One of the most used one is called JA3, which considers ciphers, extensions and many other factors in the TLS Hello package.
Another technique is HTTP/2 fingerprints, which is similar to TLS fingerprints, but it considers the settings frame and other parameters in a HTTP/2 connection.
To counter these issues, you have to build curl from the ground up with custom patches. Or use the prebuilt binaries from the curl-impersonate project.
Upvotes: 0
Related Questions
- How to configure openssl to work with file_get_contents
- How do I make php's curl accept SSLv3?
- How to add ciphers to curl in php?
- PHP curl: "Unknown cipher in list"
- Using json_decode on cURL result
- How to use ECDHE ciphers in PHP CURL?
- Translate cURL commands into PHP cURL (SSL)
- PHP cURL SSL Cipher Suite Order
- Remove SCSV Cipher Suite from php curl https request
- How to use openssl for encryption?