Reputation: 583
curl by default should use tls1.2 not tls1.3
I have a https service endpoint which exposes prometheus like metrics which only works on tls1.2
curl -v --tlsv1.2 --tls-max 1.2 --key keys/client.key --cert certs/client.crt https://172.99.197.118:5000/metrics -k
Now I am trying to use curl command without specifying any tls version but the curl by default is taking tls1.3. Is there any way I can configure curl or openssl package to use tls1.2 by default.
$ curl -v --key keys/client.key --cert certs/client.crt https://172.99.197.118:5000/metrics -k
* Trying 172.99.197.118:5000...
* TCP_NODELAY set
* Connected to 172.99.197.118 (172.99.197.118) port 5000 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS handshake, CERT verify (15):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=New York; L=Armonk; OU=Cloud; CN=pod.cluster.local
* start date: Jan 21 16:35:29 2021 GMT
* expire date: Jan 21 16:35:59 2022 GMT
* issuer: CN=Operator Vault Intermediary CA
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x56483c873e10)
> GET /metrics HTTP/2
> Host: 172.99.197.118:5000
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (OUT), TLS alert, illegal parameter (559):
* OpenSSL SSL_read: error:14160098:SSL routines:read_state_machine:excessive message size, errno 0
* Failed receiving HTTP2 data
* OpenSSL SSL_write: SSL_ERROR_SYSCALL, errno 0
* Failed sending HTTP2 data
* Connection #0 to host 172.99.197.118 left intact
curl: (56) OpenSSL SSL_read: error:14160098:SSL routines:read_state_machine:excessive message size, errno 0
Upvotes: 2
Views: 14903
Answers (2)
Reputation: 321
If it was supporting only TLS1_2 both sides wouldn't agree on TLS1_3 as seen in the client and server hello messages.
The error you are getting might happen due to server trying to validate the client certificate. If that is indeed the case you should check why it is being failed. could it be a self signed certificate not trusted by the server?
Upvotes: 0
Reputation: 488
TLS Versions can be changed by adding the following lines to your ~/.curlrc
https://everything.curl.dev/usingcurl/tls#ssl-and-tls-versions
The option you're looking for in this case is --tlsv1.2
Upvotes: 2
Related Questions
- curl: (35) error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
- curl --tlsv1.3, OpenSSL was built without TLS 1.3 support
- How to force php curl to use 1.2 instead of tls 1.3?
- TLS 1.2 not working in cURL
- cURL Unsupported SSL Protocol
- curl using -k option
- force PHP-Curl to use TLS 1.3
- Curl error tlsv1 alert protocol version
- cURL displays SSLv3 instead of TLSv1
- curl: Unknown SSL protocol error in connection