Skip to content

Schannel regression: CURLOPT_SSL_CIPHER_LIST has no effect on Windows 10 >= 10.0.17763 #10741

New issue
New issue
Closed
Closed
Schannel regression: CURLOPT_SSL_CIPHER_LIST has no effect on Windows 10 >= 10.0.17763#10741
Labels
TLSWindowsWindows-specific
@zhihaoy

Description

@zhihaoy
zhihaoy
opened on Mar 10, 2023

I did this

Set CURLOPT_SSL_CIPHER_LIST on a connection that uses Schannel, TLS 1.2, and make a connection to an HTTPS server.

I expected the following

Investigate its Hello message, the cipher suites should match my settings.

curl/libcurl version

libcurl 7.85.0 to the latest

operating system

Fails (CURLOPT_SSL_CIPHER_LIST has no effect) on Windows 10 build 17763 and above, such as 10 Enterprise 1809 and 20H1.
Works (CURLOPT_SSL_CIPHER_LIST is in effect) on Windows 10 build 14393, such as Windows Server 2016

Cause analysis

The problem was introduced by 8beff43. The change moved this chunk of code:

curl/lib/vtls/schannel.c

Lines 503 to 510 in 801bd51

if(SSL_CONN_CONFIG(cipher_list)) {
result = set_ssl_ciphers(&schannel_cred, SSL_CONN_CONFIG(cipher_list),
backend->algIds);
if(CURLE_OK != result) {
failf(data, "Unable to set ciphers to passed via SSL_CONN_CONFIG");
return result;
}
}
to

curl/lib/vtls/schannel.c

Lines 1006 to 1021 in cd95ee9

else {
/* Pre-Windows 10 1809 */
ALG_ID algIds[NUM_CIPHERS];
char *ciphers = SSL_CONN_CONFIG(cipher_list);
SCHANNEL_CRED schannel_cred = { 0 };
schannel_cred.dwVersion = SCHANNEL_CRED_VERSION;
schannel_cred.dwFlags = flags;
schannel_cred.grbitEnabledProtocols = enabled_protocols;
if(ciphers) {
result = set_ssl_ciphers(&schannel_cred, ciphers, algIds);
if(CURLE_OK != result) {
failf(data, "Unable to set ciphers to passed via SSL_CONN_CONFIG");
return result;
}
}
However, the new block was an else block started way above

curl/lib/vtls/schannel.c

Lines 790 to 792 in cd95ee9

/* Windows 10, 1809 (a.k.a. Windows 10 build 17763) */
if(curlx_verify_windows_version(10, 0, 17763, PLATFORM_WINNT,
VERSION_GREATER_THAN_EQUAL)) {
Then the logic becomes: Since only Windows 10 build 17763 supports TLS 1.3, we configure only TLS 1.3 ciphers on those systems; if we are on a lower version of Windows, we go ahead and configure TLS 1.2 (or lower) ciphers. So the combination of "on a newer version of Windows 10" and "using TLS 1.2" falls into neither branch. Support for CURLOPT_SSL_CIPHER_LIST under that combined condition was lost.

Metadata

Metadata

Assignees

No one assigned

    Labels

    TLSWindowsWindows-specific

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions