Specifying TLS Cipher with curl TransportOption
David Wen Riccardi-Zhu
davidwen.riccardizhu at gooduncle.com
Tue Jun 2 12:09:30 UTC 2020
Looking for some insights into using TransportOptions to specify a curl
cipherlist for an IdP.
After adding an IdP MetadataProvider yesterday, I found this output in my
Shibboleth SP3 logs:
2020-06-01 18:15:47 ERROR XMLTooling.libcurl.InputStream : error while
fetching https://idp-url-here: (35) error:141A318A:SSL
routines:tls_process_ske_dhe:dh key too small
2020-06-01 18:15:47 ERROR XMLTooling.ParserPool : fatal error on line 0,
column 0, message: internal error in NetAccessor
2020-06-01 18:15:47 ERROR OpenSAML.MetadataProvider.XML : error while
loading resource (https://idp-url-here): XML error(s) during parsing, check
log for specifics
My understanding is that the "dh key too small" error is due to this
vulnerability: https://weakdh.org/, and have informed the IdP accordingly.
In the meantime, I'm trying to see if I can use TransportOptions to get
around the error for this IdP.
After looking up the IdP with https://www.ssllabs.com/ssltest/, I found
that only a couple of their ciphers are still considered secure:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
I then looked at this curl option:
https://curl.haxx.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html
Which I understand to be option number 83:
https://github.com/curl/curl/blob/master/include/curl/curl.h#L1257
Therefore, I crafted this TransportOption, which I set as a child of the
IdP MetadataProvider:
<TransportOption provider="CURL"
option="83">ecdhe_rsa_aes_128_gcm_sha_256</TransportOption>
(I'm on CentOS, which uses NSS, hence the lowercase cipher name).
However, when this configuration is loaded, I get the following in the logs:
2020-06-01 19:49:17 ERROR XMLTooling.libcurl.InputStream : failed to set
CURL transport option (83)
Then, the same error as above.
I'm wondering if there's anything I'm doing wrong, or if anyone has any
insights into either resolving the error or determining why the option is
not being set.
Thank you,
David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200602/f0841ebe/attachment.htm>
More information about the users
mailing list