cURL not respecting ciphers

jlhonora picture jlhonora · Mar 13, 2015 · Viewed 8.3k times · Source

I'd like to test the usage of certain ciphers with cURL, but it doesn't seem to respect the --ciphers option:

curl -vvv --tlsv1.0 --ciphers 'RC4-SHA' https://my.url.com/alive
* Hostname was NOT found in DNS cache
*   Trying ip...
* Connected to my.url.com (ip) port 443 (#0)
* TLS 1.0 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
* Server certificate: *.url.com
* Server certificate: DigiCert SHA2 Secure Server CA
* Server certificate: DigiCert Global Root CA
> GET /alive HTTP/1.1
> User-Agent: curl/7.37.1
> Host: my.url.com
> Accept: */*
> 
< HTTP/1.1 200 OK
* Server nginx/1.4.6 (Ubuntu) is not blacklisted
< Server: nginx/1.4.6 (Ubuntu)
< Date: Fri, 13 Mar 2015 20:33:46 GMT
< Content-Type: application/json; charset=utf-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Status: 200 OK
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< X-UA-Compatible: chrome=1
< ETag: "561750c34ae7a13fe0c237e9fa9e3fbd"
< Cache-Control: max-age=0, private, must-revalidate
< X-Request-Id: da72f82b-32f9-4e43-8118-9e5122b9ab96
< X-Runtime: 0.025375
< Strict-Transport-Security: max-age=63072000
< X-Frame-Options: DENY
< X-Content-Type-Options: nosniff
< 
* Connection #0 to host my.url.com left intact
{"alive":true,"timestamp":"2015-03-13T20:33:46+00:00","requested_by":"myip"}

I know RC4-SHA is weak and should not be used, but that's why I want to test rejection with my server.

The allowed ciphers set up in Nginx are the following:

ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-DSS-AES128-GCM-SHA256
kEDH+AESGCM
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
DHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA256
DHE-RSA-AES256-SHA256
DHE-DSS-AES256-SHA
DHE-RSA-AES256-SHA
AES128-GCM-SHA256
AES256-GCM-SHA384
AES128-SHA256
AES256-SHA256
AES128-SHA
AES256-SHA
AES
CAMELLIA
DES-CBC3-SHA
!aNULL
!eNULL
!EXPORT
!DES
!RC4
!MD5
!PSK
!aECDH
!EDH-DSS-DES-CBC3-SHA
!EDH-RSA-DES-CBC3-SHA
!KRB5-DES-CBC3-SHA

Why does it change the algorithm to TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA? Shouldn't it just deny the connection?

This is the cURL version I'm using:

curl -V
curl 7.37.1 (x86_64-apple-darwin14.0) libcurl/7.37.1 SecureTransport zlib/1.2.5
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smtp smtps telnet tftp 
Features: AsynchDNS GSS-Negotiate IPv6 Largefile NTLM NTLM_WB SSL libz

Edit: it seems that the --ciphers option is ignored when using Apple's Secure Transport Layer in OS X.

Answer

Steffen Ullrich picture Steffen Ullrich · Mar 13, 2015

From a (not a very detailed) look at the source code of curl I would suggest, that the --ciphers option has no implementation for the SecureTransport back end (Mac OS X), i.e. no matter what you specify it gets ignored.