Issue
Small question regarding a curl command on a TLSV1.3 endpoint, and the error "OpenSSL was built without TLS 1.3 support".
The endpoint is a third party endpoint I have no control over, but from the spec, is TLSv1.3 enabled.
Hence, if I curl like this: It will yield the error, which is somehow expected.
./curl -vik https://third-party.com:18090/health
* Trying x:18090...
* Connected to third-party.com (x) port 18090 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
* CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Unknown (21):
* TLSv1.2 (IN), TLS alert, protocol version (582):
* error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
* Closing connection 0
curl: (35) error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
But I also tried this: (note the --tlsv1.3, and it is returning this error.
curl --tlsv1.3 -vik https://third-party.com:18090/health
* Trying x:18090...
* Connected to third-party.com (x) port 18090 (#0)
* OpenSSL was built without TLS 1.3 support
* Closing connection 0
curl: (4) OpenSSL was built without TLS 1.3 support
OpenSSL was built without TLS 1.3 support
The thing is, I haven't built openssl, I just did yum -y install -y openssl openssl-devel
May I ask how can I make my curl work with tlsv1.3, or how to fix this issue please?
Thank you
Solution
The wording "OpenSSL was built without TLS 1.3 support" may be misleading. It actually means this particular curl was built to use OpenSSL for SSL/TLS protocol (not one of several other options) AND the version of OpenSSL being used does not support TLS1.3. Looking at your error message it is clearly from an OpenSSL version below 1.1.0 (released in 2016), and it is certainly correct that such versions do not support TLS1.3. Only OpenSSL 1.1.1 (2018) now supports TLS1.3 (3.0.0, currently in alpha, also will).
You can't make that curl do TLS1.3. Since you are apparently using a RedHat-family system of some kind, depending on which system it is there may be other curl builds available either in a standard repository or an optional one. If not, you'll need to get OpenSSL 1.1.1 which again may be available in a repository or else you'll have to build from source, and then build (sufficiently recent) curl from source to use that OpenSSL.
An alternative approach, instead of getting this to work directly on your system, is to use another system: either a real system, possibly in the cloud; or a virtual machine on your system; or a docker or similar container which basically virtualizes only the OS but not the underlying hardware.
Answered By - dave_thompson_085 Answer Checked By - David Marino (WPSolving Volunteer)