What were you trying to do that didn't work?

curl doesn't follow system-wide crypto policy regarding allowed TLS version.

What is the impact of this issue to you?

The issue affects RHEL 10.0 Common Criteria certification.

Please provide the package NVR for which the bug is seen:

RHEL 10.0 RPMs:

libcurl-8.9.1-5.el10.x86_64
curl-8.9.1-5.el10.x86_64

The same issue also impacts RHEL 10.1:

libcurl-8.12.1-2.el10.x86_64
curl-8.12.1-2.el10.x86_64

RHEL 9.6:

libcurl-7.76.1-31.el9.x86_64
curl-7.76.1-31.el9.x86_64

and RHEL 9.7:

libcurl-7.76.1-34.el9.x86_64
curl-7.76.1-34.el9.x86_64

On RHEL 9.4 this is not an issue and it has the following curl versions:

libcurl-7.76.1-29.el9_4.x86_64
curl-7.76.1-29.el9_4.x86_64

How reproducible is this bug?:

deterministic

Steps to reproduce

1.  Modify system-wide crypto policy to FIPS:OSPP (which only allows TLS 1.2 connections):

   # update-crypto-policies --set FIPS:OSPP
   # grep -E "^TLS\.(Min|Max)Protocol" /etc/crypto-policies/back-ends/opensslcnf.config
   TLS.MinProtocol = TLSv1.2
   TLS.MaxProtocol = TLSv1.2
   

1. Generate certificates and run openssl s_server to test TLS connections:

   # openssl req -x509 -newkey rsa:3072 -nodes -keyout key.pem -out cert.pem -days 1 -subj "/CN=localhost"
   # openssl s_server -accept 8443 -cert cert.pem -key key.pem -cipher 'DHE-RSA-AES256-GCM-SHA384' -www
   

1. In other terminal window on the same system try to connect to the s_server and observe that curl performs TLS 1.3 connection and then errors out since there are no TLS 1.3 ciphersuites enabled:

   # curl -vk https://localhost:8443
   * Host localhost:8443 was resolved.
   * IPv6: ::1
   * IPv4: 127.0.0.1
   *   Trying [::1]:8443...
   * Connected to localhost (::1) port 8443
   * ALPN: curl offers h2,http/1.1
   * TLSv1.3 (OUT), TLS alert, internal error (592):
   * OpenSSL/3.2.2: error:0A0000B5:SSL routines::no ciphers available
   * closing connection #0
   curl: (35) OpenSSL/3.2.2: error:0A0000B5:SSL routines::no ciphers available
   # echo $?
   35
   

   Note: Forcing curl to use TLS 1.2 or using DEFAULT crypto policy works, e.g.:

   # curl -vk --tlsv1.2 --tls-max 1.2 https://localhost:8443
    * Host localhost:8443 was resolved.
    * IPv6: ::1
    * IPv4: 127.0.0.1
    * Trying [::1]:8443...
    * Connected to localhost (::1) port 8443
    * ALPN: curl offers h2,http/1.1
    * TLSv1.2 (OUT), TLS handshake, Client hello (1):
    * TLSv1.2 (IN), TLS handshake, Server hello (2):
    * TLSv1.2 (IN), TLS handshake, Certificate (11):
    * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
    * TLSv1.2 (IN), TLS handshake, Server finished (14):
    * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
    * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
    * TLSv1.2 (OUT), TLS handshake, Finished (20):
    * TLSv1.2 (IN), TLS handshake, Finished (20):
    * SSL connection using TLSv1.2 / DHE-RSA-AES256-GCM-SHA384 / [blank] / RSASSA-PSS
    * ALPN: server did not agree on a protocol. Uses default.
    * Server certificate:
    * subject: CN=localhost
    * start date: Oct 8 07:47:08 2025 GMT
    * expire date: Oct 9 07:47:08 2025 GMT
    * issuer: CN=localhost
    * SSL certificate verify result: self-signed certificate (18), continuing anyway.
    * Certificate level 0: Public key type RSA (3072/128 Bits/secBits), signed using sha256WithRSAEncryption
    * using HTTP/1.x
   > GET / HTTP/1.1
   > Host: localhost:8443
   > User-Agent: curl/8.9.1
   > Accept: */*
   >
    * Request completely sent off
    * HTTP 1.0, assume close after body
   < HTTP/1.0 200 ok
   < Content-type: text/html
   < 
   <HTML><BODY BGCOLOR="#ffffff">
   <pre>
   
   s_server -accept 8443 -cert cert.pem -key key.pem -cipher DHE-RSA-AES256-GCM-SHA384 -www 
   Secure Renegotiation IS supported
   Ciphers supported in s_server binary
   TLSv1.2 :DHE-RSA-AES256-GCM-SHA384 
   —
   Ciphers common between both SSL end points:
   DHE-RSA-AES256-GCM-SHA384
   Signature Algorithms: ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
   Shared Signature Algorithms: ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
   Supported groups: secp521r1:secp384r1
   Shared groups: secp521r1:secp384r1
   —
   New, TLSv1.2, Cipher is DHE-RSA-AES256-GCM-SHA384
   SSL-Session:
   Protocol : TLSv1.2
   Cipher : DHE-RSA-AES256-GCM-SHA384
   Session-ID: 90E5C366E895D31A9AEE0EF514980097FEFA6CB05355E4487E596B4D0C021D11
   Session-ID-ctx: 01000000
   Master-Key: 2366F7A7B4DC96F19CB6F9B03E990BE936E8301BA2807AA441483319677FBA9A554324A76140DE3E3A061C13AB8950E1
   PSK identity: None
   PSK identity hint: None
   SRP username: None
   Start Time: 1759916424
   Timeout : 7200 (sec)
   Verify return code: 0 (ok)
   Extended master secret: yes
   —
   1 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   2 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)
   —
   no client certificate available
   </pre></BODY></HTML>
    * TLSv1.2 (IN), TLS alert, close notify (256):
    * shutting down connection #0
    * TLSv1.2 (OUT), TLS alert, close notify (256):
    # echo $?
   0
   

   Also using s_client works without any issues:

    # openssl s_client -connect localhost:8443
   

Expected results

curl connects to the server and uses TLS 1.2 protocol as required by the system-wide crypto policy.

Actual results

curl fails to connect to the server and uses TLS 1.3 protocol even though the system-wide crypto policy requires TLS 1.2 to be used.