Specifying TLS Cipher with curl TransportOption

David Wen Riccardi-Zhu davidwen.riccardizhu at gooduncle.com
Tue Jun 2 12:09:30 UTC 2020

Looking for some insights into using TransportOptions to specify a curl
cipherlist for an IdP.

After adding an IdP MetadataProvider yesterday, I found this output in my
Shibboleth SP3 logs:

2020-06-01 18:15:47 ERROR XMLTooling.libcurl.InputStream : error while
fetching https://idp-url-here: (35) error:141A318A:SSL
routines:tls_process_ske_dhe:dh key too small
2020-06-01 18:15:47 ERROR XMLTooling.ParserPool : fatal error on line 0,
column 0, message: internal error in NetAccessor
2020-06-01 18:15:47 ERROR OpenSAML.MetadataProvider.XML : error while
loading resource (https://idp-url-here): XML error(s) during parsing, check
log for specifics

My understanding is that the "dh key too small" error is due to this
vulnerability: https://weakdh.org/, and have informed the IdP accordingly.
In the meantime, I'm trying to see if I can use TransportOptions to get
around the error for this IdP.

After looking up the IdP with https://www.ssllabs.com/ssltest/, I found
that only a couple of their ciphers are still considered secure:


I then looked at this curl option:

Which I understand to be option number 83:

Therefore, I crafted this TransportOption, which I set as a child of the
IdP MetadataProvider:
<TransportOption provider="CURL"

(I'm on CentOS, which uses NSS, hence the lowercase cipher name).

However, when this configuration is loaded, I get the following in the logs:

2020-06-01 19:49:17 ERROR XMLTooling.libcurl.InputStream : failed to set
CURL transport option (83)

Then, the same error as above.

I'm wondering if there's anything I'm doing wrong, or if anyone has any
insights into either resolving the error or determining why the option is
not being set.

Thank you,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200602/f0841ebe/attachment.htm>

More information about the users mailing list