カールの出力指示ですTLSv1.3 (OUT), TLS handshake, Client hello (1)
。--tlsv1.3
強制的に使用するには、以下を使用してくださいTLSv1.3
。
$ curl -6 --tlsv1.3 --tls13-ciphers TLS_AES_256_GCM_SHA384 -vL https://icanhazip.com
* Trying 2606:4700::6812:7261:443...
* TCP_NODELAY set
* Connected to icanhazip.com (2606:4700::6812:7261) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLS 1.3 cipher selection: TLS_AES_256_GCM_SHA384
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
* start date: Apr 7 00:00:00 2023 GMT
* expire date: Apr 6 23:59:59 2024 GMT
* subjectAltName: host "icanhazip.com" matched cert's "icanhazip.com"
* issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55eab1370300)
> GET / HTTP/2
> Host: icanhazip.com
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200
< date: Tue, 19 Sep 2023 15:25:06 GMT
< content-type: text/plain
< content-length: 39
< access-control-allow-origin: *
< access-control-allow-methods: GET
< set-cookie: ...; path=/; expires=Tue, 19-Sep-23 15:55:06 GMT; domain=.icanhazip.com; HttpOnly; Secure; SameSite=None
< server: cloudflare
< cf-ray: ...
< alt-svc: h3=":443"; ma=86400
<
2001:...
* Connection #0 to host icanhazip.com left intact
$
ただし、tsharkを使用してパケットをチェックすると、最初の「Client Hello」が「TLSv1」と表示されます。以降のレコードには TLSv1.3 が表示されます。
$ tshark -i wlo1 -Y "tls"
Capturing on 'wlo1'
6 0.104130915 <my IPv6 IP> → 2606:4700::6812:7261 TLSv1 341 Client Hello
8 0.155371691 2606:4700::6812:7261 → <my IPv6 IP> TLSv1.3 2726 Server Hello, Change Cipher Spec, Application Data
10 0.155931670 <my IPv6 IP> → 2606:4700::6812:7261 TLSv1.3 166 Change Cipher Spec, Application Data
11 0.156028365 <my IPv6 IP> → 2606:4700::6812:7261 TLSv1.3 181 Application Data, Application Data
12 0.156320000 <my IPv6 IP> → 2606:4700::6812:7261 TLSv1.3 181 Application Data, Application Data
15 0.204002604 2606:4700::6812:7261 → <my IPv6 IP> TLSv1.3 655 Application Data, Application Data
16 0.204002660 2606:4700::6812:7261 → <my IPv6 IP> TLSv1.3 439 Application Data
17 0.204181004 <my IPv6 IP> → 2606:4700::6812:7261 TLSv1.3 117 Application Data
18 0.204188232 2606:4700::6812:7261 → <my IPv6 IP> TLSv1.3 156 Application Data
19 0.204188303 2606:4700::6812:7261 → <my IPv6 IP> TLSv1.3 117 Application Data
21 0.204599136 <my IPv6 IP> → 2606:4700::6812:7261 TLSv1.3 110 Application Data
^C11 packets captured
2つの出力に違いがあるのはなぜですか?
私の初期の問題はcurl --tlsv1.3
。ただし、そうでない場合は、--tlsv1.3
カールの出力が表示されてもHTTP 403応答を受け取りますTLSv1.3
。まず、この違いを理解する必要があります。