SSL/TLS cipher negotiation with cURL¶
SSL/TLS cipher negotiation with cURL involves inspecting, verifying, and controlling the specific cryptographic algorithms (cipher suites) used during a secure connection.^[400-devops-02-os-and-linux-basics-ssl-openssl-openssl.md] This process relies on the underlying OpenSSL library to define security parameters for protocols like [[SSL]] and [[TLS]].
Cipher suite Inspection¶
To determine which cipher suites a server supports, the openssl s_client command is commonly used to connect to a specific port (e.g., 443 for HTTPS)^[400-devops-02-os-and-linux-basics-ssl-openssl-openssl.md].
[OpenSSL](<./openssl.md>) s_client -connect www.google.com:443
You can also list the cipher suites available to the OpenSSL client itself^[400-devops-02-os-and-linux-basics-ssl-openssl-openssl.md]:
[OpenSSL](<./openssl.md>) ciphers -s -psk -srp
Controlling Ciphers in cURL¶
When making requests with cURL, you can manually enforce specific cipher suites to ensure only certain encryption algorithms are used^[400-devops-02-os-and-linux-basics-ssl-openssl-openssl.md]. This is done using the --ciphers flag.
For example, to force the connection to use ECDHE-ECDSA-AES128-GCM-SHA256 with a maximum TLS version of 1.2:
curl -s -S -v -o /dev/null --no-progress-meter --tls-max 1.2 --ciphers ECDHE-ECDSA-AES128-GCM-SHA256 https://www.google.com
Supported Algorithms¶
The underlying cryptographic library supports a wide range of algorithms that define the potential ciphers available for negotiation^[400-devops-02-os-and-linux-basics-ssl-openssl-openssl.md]. These include:
- Encryption: AES, Blowfish, ChaCha20, DES, IDEA, RC4, TDES.
- Hash Functions: MD5, SHA-1, SHA-2, SHA-3, RIPEMD-160, Whirlpool.
- Public Key: RSA, DSA, ECDSA, ECDHE, Ed25519.
Related Concepts¶
- [[SSL]]
- [[TLS]]
- OpenSSL
Sources¶
^[400-devops-02-os-and-linux-basics-ssl-openssl-openssl.md]