curl --tlsv1.3, OpenSSL was built without TLS 1.3 support

Question

Small question regarding a curl command on a TLSV1.3 endpoint, and the error "OpenSSL was built without TLS 1.3 support".

The endpoint is a third party endpoint I have no control over, but from the spec, is TLSv1.3 enabled.

Hence, if I curl like this: It will yield the error, which is somehow expected.

./curl -vik https://third-party.com:18090/health
*   Trying x:18090...
* Connected to third-party.com (x) port 18090 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Unknown (21):
* TLSv1.2 (IN), TLS alert, protocol version (582):
* error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
* Closing connection 0
curl: (35) error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version

But I also tried this: (note the --tlsv1.3, and it is returning this error.

curl --tlsv1.3 -vik https://third-party.com:18090/health
*   Trying x:18090...
* Connected to third-party.com (x) port 18090 (#0)
* OpenSSL was built without TLS 1.3 support
* Closing connection 0
curl: (4) OpenSSL was built without TLS 1.3 support

OpenSSL was built without TLS 1.3 support

The thing is, I haven't built openssl, I just did yum -y install -y openssl openssl-devel

May I ask how can I make my curl work with tlsv1.3, or how to fix this issue please?

Thank you

Answer 1

The wording "OpenSSL was built without TLS 1.3 support" may be misleading. It actually means this particular curl executable was built to use OpenSSL for SSL/TLS protocol (not one of several other options) AND the version/build of OpenSSL being used does not support TLS1.3; see function set_ssl_version_min_max_legacy in https://github.com/curl/curl/blob/master/lib/vtls/openssl.c . Looking at your error message it is clearly from an OpenSSL version below 1.1.0 (released in 2016), and it is definitely true such versions do not support TLS1.3. Only OpenSSL 1.1.1 (2018) now supports TLS1.3 (3.0.0, currently in alpha, also will) (2023 update: did).

You can't make that curl do TLS1.3. Since you are apparently using a RedHat-family system of some kind, depending on which system it is there may be other curl builds available either in a standard repository or an optional one. If not, you'll need to get OpenSSL 1.1.1 (or higher) which again may be available in a repository or else you'll have to build from source, and then build (sufficiently recent) curl from source to use that OpenSSL.

An alternative approach, instead of getting this to work directly on your system, is to use another system: either a real system, possibly in the cloud; or a virtual machine on your system; or a docker or similar container which basically virtualizes only the OS but not the underlying hardware.

Answer 2

In order to use curl directly after brew install curl under macOS. You need to have curl in your PATH through

echo 'export PATH="/usr/local/opt/curl/bin:$PATH"' >> /Users/YOURNAME/.bash_profile

So we could use curl directly like

curl --tlsv1.3 xxxxx

---

One more thing, another piece of advice put in your .bash_profile (or .bashrc):

export HOMEBREW_FORCE_BREWED_CURL=1

However, it failed to use the latest curl installed by brew.

Answer 3

On macOS, I succeed by installing a new curl version by brew install curl.

Then you can run something, for example

/usr/local/opt/curl/bin/curl --version

or

/usr/local/opt/curl/bin/curl --tlsv1.3 --request GET \
     --url https://localhost:9200 \
     --cacert ca.crt \
     --key tls.key \
     --cert tls.crt \
     --header 'Content-Type: application/json' \
     --verbose