tls13 cipher list

[jgilbert2017]

using profile chrome136.

I've got a site that uses http3 and sits behind CF.

libcurl-impersonate fails the fingerprint unless i force tls13 only via CURLOPT_SSL_VERSION = TLSv1_3.

the default is tls12 | MAX which does tls13 with tls12 fallback.

i think what is happening is that the initial http3 handshake used a different (tls13 specific) cipher suite and forcing TLSv13 actually just uses the default curl tls13 cipher suite which happens to pass the fingerprint check.

curl has CURLOPT_TLS13_CIPHERS but it fails NOT_BUILT_IN if i try to use it to.

my thought is that probably the impersonate profile could use a .tls13_ciphers field that gets passed to CURLOPT_TLS13_CIPHERS so that http3 initiated sessions can be easily used.

[lexiforest]

Hi, could you please clarify a few things?

• Are you using the latest version, some recent versions are broken in terms of http/3
• You can force http/3 with something like http3_only option, and yes, http3 forces tls13

[jgilbert2017]

yes, using latest version 1.2.0 on linux.

my observations are:

• call impersonate() w/o setting HTTP_VERSION of SSL_VERSION
  RESULT http2 connection, fngerprint bad (403)

• call Impersonate() followed by CURLOPT_HTTP_VERSION = HTTP_VERSION_3ONLY (and not setting CURLOPT_SSL_VERSION = TLSv1_3)
  RESULT SSL connection fails "QUIC needs at least TLS version 1.3"

• call Impersonate() followed by CURLOPT_HTTP_VERSION = HTTP_VERSION_3ONLY (and setting CURLOPT_SSL_VERSION = TLSv1_2 | MAX)
  RESULT http3 connection fingerprint good

• CURLOPT_HTTP_VERSION = HTTP_VERSION_3ONLY (and not setting CURLOPT_SSL_VERSION = TLSv1_3) followed by Impersonate()
  RESULT SSL connection succeeds with HTTP2 (assuming the patch overrides the http version?) but fingerprint bad (403)

• call Impersonate() followed by CURLOPT_SSL_VERSION = TLSv1_3)
  RESULT: http2 connection fingerprint good

So what I take from this is that probably the initial CF fingerprint is keyed off of the TLS13 ciphers of chrome rather than the SSL ciphers.