setopt: add TLS 1.3 ciphersuites

Adds CURLOPT_TLS13_CIPHERS and CURLOPT_PROXY_TLS13_CIPHERS.

curl: added --tls13-ciphers and --proxy-tls13-ciphers

Fixes #2435
Reported-by: zzq1015 on github
Closes #2607

19 files changed, 260 insertions, 11 deletions

diff --git a/docs/CIPHERS.md b/docs/CIPHERS.md
index e09533b0d..99d9f7dc7 100644
--- a/docs/CIPHERS.md
+++ b/docs/CIPHERS.md
@@ -142,6 +142,16 @@ libcurl was built to use. This is an attempt to list known cipher names.
 `ECDHE-RSA-CAMELLIA128-SHA256`
 `ECDHE-RSA-CAMELLIA256-SHA384`
 
+### TLS 1.3 cipher suites
+
+(Note: the TLS 1.3 cipher suites are set with a separate option.)
+
+`TLS13-AES-256-GCM-SHA384`
+`TLS13-CHACHA20-POLY1305-SHA256`
+`TLS13-AES-128-GCM-SHA256`
+`TLS13-AES-128-CCM-8-SHA256`
+`TLS13-AES-128-CCM-SHA256`
+
 ## NSS
 
 ### Totally insecure
diff --git a/docs/cmdline-opts/Makefile.inc b/docs/cmdline-opts/Makefile.inc
index fb56d2552..67fe1a04b 100644
--- a/docs/cmdline-opts/Makefile.inc
+++ b/docs/cmdline-opts/Makefile.inc
@@ -47,6 +47,6 @@ DPAGES = abstract-unix-socket.d anyauth.d append.d basic.d cacert.d capath.d cer
   tlsv1.3.d tlsv1.d trace-ascii.d trace.d trace-time.d tr-encoding.d    \
   unix-socket.d upload-file.d url.d use-ascii.d user-agent.d user.d     \
   verbose.d version.d write-out.d xattr.d request-target.d              \
-  styled-output.d
+  styled-output.d tls13-ciphers.d proxy-tls13-ciphers.d
 
 OTHERPAGES = page-footer page-header
diff --git a/docs/cmdline-opts/proxy-tls13-ciphers.d b/docs/cmdline-opts/proxy-tls13-ciphers.d
new file mode 100644
index 000000000..3e35b0764
--- /dev/null
+++ b/docs/cmdline-opts/proxy-tls13-ciphers.d
@@ -0,0 +1,12 @@
+Long: proxy-tls13-ciphers
+Arg: <ciphersuite list>
+help: TLS 1.3 proxy cipher suites
+Protocols: TLS
+---
+Specifies which cipher suites to use in the connection to your HTTPS proxy
+when it negotiates TLS 1.3. The list of ciphers suites must specify valid
+ciphers. Read up on TLS 1.3 cipher suite details on this URL:
+
+ https://curl.haxx.se/docs/ssl-ciphers.html
+
+If this option is used several times, the last one will be used.
diff --git a/docs/cmdline-opts/tls13-ciphers.d b/docs/cmdline-opts/tls13-ciphers.d
new file mode 100644
index 000000000..add161595
--- /dev/null
+++ b/docs/cmdline-opts/tls13-ciphers.d
@@ -0,0 +1,12 @@
+Long: tls13-ciphers
+Arg: <list of TLS 1.3 ciphersuites>
+help: TLS 1.3 cipher suites to use
+Protocols: TLS
+---
+Specifies which cipher suites to use in the connection if it negotiates TLS
+1.3. The list of ciphers suites must specify valid ciphers. Read up on TLS 1.3
+cipher suite details on this URL:
+
+ https://curl.haxx.se/docs/ssl-ciphers.html
+
+If this option is used several times, the last one will be used.
diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3
index bdaf59f6c..317c7a646 100644
--- a/docs/libcurl/curl_easy_setopt.3
+++ b/docs/libcurl/curl_easy_setopt.3
@@ -548,6 +548,10 @@ Identify EGD socket for entropy. See \fICURLOPT_EGDSOCKET(3)\fP
 Ciphers to use. See \fICURLOPT_SSL_CIPHER_LIST(3)\fP
 .IP CURLOPT_PROXY_SSL_CIPHER_LIST
 Proxy ciphers to use. See \fICURLOPT_PROXY_SSL_CIPHER_LIST(3)\fP
+.IP CURLOPT_TLS13_CIPHERS
+TLS 1.3 cipher suites to use. See \fICURLOPT_TLS13_CIPHERS(3)\fP
+.IP CURLOPT_PROXY_TLS13_CIPHERS
+Proxy TLS 1.3 cipher suites to use. See \fICURLOPT_PROXY_TLS13_CIPHERS(3)\fP
 .IP CURLOPT_SSL_SESSIONID_CACHE
 Disable SSL session-id cache. See \fICURLOPT_SSL_SESSIONID_CACHE(3)\fP
 .IP CURLOPT_SSL_OPTIONS
diff --git a/docs/libcurl/opts/CURLOPT_PROXY_TLS13_CIPHERS.3 b/docs/libcurl/opts/CURLOPT_PROXY_TLS13_CIPHERS.3
new file mode 100644
index 000000000..372bdeb38
--- /dev/null
+++ b/docs/libcurl/opts/CURLOPT_PROXY_TLS13_CIPHERS.3
@@ -0,0 +1,63 @@
+.\" **************************************************************************
+.\" *                                  _   _ ____  _
+.\" *  Project                     ___| | | |  _ \| |
+.\" *                             / __| | | | |_) | |
+.\" *                            | (__| |_| |  _ <| |___
+.\" *                             \___|\___/|_| \_\_____|
+.\" *
+.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" *
+.\" * This software is licensed as described in the file COPYING, which
+.\" * you should have received as part of this distribution. The terms
+.\" * are also available at https://curl.haxx.se/docs/copyright.html.
+.\" *
+.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+.\" * copies of the Software, and permit persons to whom the Software is
+.\" * furnished to do so, under the terms of the COPYING file.
+.\" *
+.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+.\" * KIND, either express or implied.
+.\" *
+.\" **************************************************************************
+.\"
+.TH CURLOPT_PROXY_TLS13_CIPHERS 3 "25 May 2018" "libcurl 7.61.0" "curl_easy_setopt options"
+.SH NAME
+CURLOPT_PROXY_TLS13_CIPHERS \- ciphers suites for proxy TLS 1.3
+.SH SYNOPSIS
+#include <curl/curl.h>
+
+CURLcode curl_easy_setopt(CURL *handle, CURLOPT_PROXY_TLS13_CIPHERS, char *list);
+.SH DESCRIPTION
+Pass a char *, pointing to a zero terminated string holding the list of cipher
+suites to use for the TLS 1.3 connection to a proxy. The list must be
+syntactically correct, it consists of one or more cipher suite strings
+separated by colons.
+
+You'll find more details about cipher lists on this URL:
+
+ https://curl.haxx.se/docs/ssl-ciphers.html
+
+The application does not have to keep the string around after setting this
+option.
+.SH DEFAULT
+NULL, use internal default
+.SH PROTOCOLS
+All TLS based protocols: HTTPS, FTPS, IMAPS, POP3S, SMTPS etc.
+.SH EXAMPLE
+.nf
+CURL *curl = curl_easy_init();
+if(curl) {
+  curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/");
+  curl_easy_setopt(curl, CURLOPT_PROXY_TLS13_CIPHERS,
+                   "TLS13-CHACHA20-POLY1305-SHA256");
+  ret = curl_easy_perform(curl);
+  curl_easy_cleanup(curl);
+}
+.fi
+.SH AVAILABILITY
+Added in 7.61.0.
+Available when built with OpenSSL >= 1.1.1.
+.SH RETURN VALUE
+Returns CURLE_OK if supported, CURLE_NOT_BUILT_IN otherwise.
+.SH "SEE ALSO"
+.BR CURLOPT_SSLVERSION "(3), " CURLOPT_TLS13_CIPHERS "(3), "
diff --git a/docs/libcurl/opts/CURLOPT_TLS13_CIPHERS.3 b/docs/libcurl/opts/CURLOPT_TLS13_CIPHERS.3
new file mode 100644
index 000000000..85400780c
--- /dev/null
+++ b/docs/libcurl/opts/CURLOPT_TLS13_CIPHERS.3
@@ -0,0 +1,62 @@
+.\" **************************************************************************
+.\" *                                  _   _ ____  _
+.\" *  Project                     ___| | | |  _ \| |
+.\" *                             / __| | | | |_) | |
+.\" *                            | (__| |_| |  _ <| |___
+.\" *                             \___|\___/|_| \_\_____|
+.\" *
+.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" *
+.\" * This software is licensed as described in the file COPYING, which
+.\" * you should have received as part of this distribution. The terms
+.\" * are also available at https://curl.haxx.se/docs/copyright.html.
+.\" *
+.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+.\" * copies of the Software, and permit persons to whom the Software is
+.\" * furnished to do so, under the terms of the COPYING file.
+.\" *
+.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+.\" * KIND, either express or implied.
+.\" *
+.\" **************************************************************************
+.\"
+.TH CURLOPT_TLS13_CIPHERS 3 "25 May 2018" "libcurl 7.61.0" "curl_easy_setopt options"
+.SH NAME
+CURLOPT_TLS13_CIPHERS \- specify ciphers suites to use for TLS 1.3
+.SH SYNOPSIS
+#include <curl/curl.h>
+
+CURLcode curl_easy_setopt(CURL *handle, CURLOPT_TLS13_CIPHERS, char *list);
+.SH DESCRIPTION
+Pass a char *, pointing to a zero terminated string holding the list of cipher
+suites to use for the TLS 1.3 connection. The list must be syntactically
+correct, it consists of one or more cipher suite strings separated by colons.
+
+You'll find more details about cipher lists on this URL:
+
+ https://curl.haxx.se/docs/ssl-ciphers.html
+
+The application does not have to keep the string around after setting this
+option.
+.SH DEFAULT
+NULL, use internal default
+.SH PROTOCOLS
+All TLS based protocols: HTTPS, FTPS, IMAPS, POP3S, SMTPS etc.
+.SH EXAMPLE
+.nf
+CURL *curl = curl_easy_init();
+if(curl) {
+  curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/");
+  curl_easy_setopt(curl, CURLOPT_TLS13_CIPHERS,
+                   "TLS13-CHACHA20-POLY1305-SHA256");
+  ret = curl_easy_perform(curl);
+  curl_easy_cleanup(curl);
+}
+.fi
+.SH AVAILABILITY
+Added in 7.61.0.
+Available when built with OpenSSL >= 1.1.1.
+.SH RETURN VALUE
+Returns CURLE_OK if supported, CURLE_NOT_BUILT_IN otherwise.
+.SH "SEE ALSO"
+.BR CURLOPT_SSLVERSION "(3), " CURLOPT_PROXY_TLS13_CIPHERS "(3), "
diff --git a/docs/libcurl/opts/Makefile.inc b/docs/libcurl/opts/Makefile.inc
index 74a76a7dd..5db8b8f3e 100644
--- a/docs/libcurl/opts/Makefile.inc
+++ b/docs/libcurl/opts/Makefile.inc
@@ -237,6 +237,7 @@ man_MANS =                                      \
   CURLOPT_PROXY_SSL_OPTIONS.3                   \
   CURLOPT_PROXY_SSL_VERIFYHOST.3                \
   CURLOPT_PROXY_SSL_VERIFYPEER.3                \
+  CURLOPT_PROXY_TLS13_CIPHERS.3                 \
   CURLOPT_PROXY_TLSAUTH_PASSWORD.3              \
   CURLOPT_PROXY_TLSAUTH_TYPE.3                  \
   CURLOPT_PROXY_TLSAUTH_USERNAME.3              \
@@ -315,6 +316,7 @@ man_MANS =                                      \
   CURLOPT_TIMEOUT_MS.3                          \
   CURLOPT_TIMEVALUE.3                           \
   CURLOPT_TIMEVALUE_LARGE.3                     \
+  CURLOPT_TLS13_CIPHERS.3                       \
   CURLOPT_TLSAUTH_PASSWORD.3                    \
   CURLOPT_TLSAUTH_TYPE.3                        \
   CURLOPT_TLSAUTH_USERNAME.3                    \
diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
index f3ad33510..4b6e74346 100644
--- a/docs/libcurl/symbols-in-versions
+++ b/docs/libcurl/symbols-in-versions
@@ -101,8 +101,8 @@ CURLE_PEER_FAILED_VERIFICATION  7.17.1
 CURLE_QUOTE_ERROR               7.17.0
 CURLE_RANGE_ERROR               7.17.0
 CURLE_READ_ERROR                7.1
-CURLE_RECV_ERROR                7.10
 CURLE_RECURSIVE_API_CALL        7.59.0
+CURLE_RECV_ERROR                7.10
 CURLE_REMOTE_ACCESS_DENIED      7.17.0
 CURLE_REMOTE_DISK_FULL          7.17.0
 CURLE_REMOTE_FILE_EXISTS        7.17.0
@@ -514,6 +514,7 @@ CURLOPT_PROXY_SSL_CIPHER_LIST   7.52.0
 CURLOPT_PROXY_SSL_OPTIONS       7.52.0
 CURLOPT_PROXY_SSL_VERIFYHOST    7.52.0
 CURLOPT_PROXY_SSL_VERIFYPEER    7.52.0
+CURLOPT_PROXY_TLS13_CIPHERS     7.61.0
 CURLOPT_PROXY_TLSAUTH_PASSWORD  7.52.0
 CURLOPT_PROXY_TLSAUTH_TYPE      7.52.0
 CURLOPT_PROXY_TLSAUTH_USERNAME  7.52.0
@@ -528,6 +529,8 @@ CURLOPT_REDIR_PROTOCOLS         7.19.4
 CURLOPT_REFERER                 7.1
 CURLOPT_REQUEST_TARGET          7.55.0
 CURLOPT_RESOLVE                 7.21.3
+CURLOPT_RESOLVER_START_DATA     7.59.0
+CURLOPT_RESOLVER_START_FUNCTION 7.59.0
 CURLOPT_RESUME_FROM             7.1
 CURLOPT_RESUME_FROM_LARGE       7.11.0
 CURLOPT_RTSPHEADER              7.20.0
@@ -602,13 +605,12 @@ CURLOPT_TIMEOUT                 7.1
 CURLOPT_TIMEOUT_MS              7.16.2
 CURLOPT_TIMEVALUE               7.1
 CURLOPT_TIMEVALUE_LARGE         7.59.0
+CURLOPT_TLS13_CIPHERS           7.61.0
 CURLOPT_TLSAUTH_PASSWORD        7.21.4
 CURLOPT_TLSAUTH_TYPE            7.21.4
 CURLOPT_TLSAUTH_USERNAME        7.21.4
 CURLOPT_TRANSFERTEXT            7.1.1
 CURLOPT_TRANSFER_ENCODING       7.21.6
-CURLOPT_RESOLVER_START_FUNCTION 7.59.0
-CURLOPT_RESOLVER_START_DATA     7.59.0
 CURLOPT_UNIX_SOCKET_PATH        7.40.0
 CURLOPT_UNRESTRICTED_AUTH       7.10.4
 CURLOPT_UPLOAD                  7.1
diff --git a/include/curl/curl.h b/include/curl/curl.h
index b7f75da75..034c6da7e 100644
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@@ -1849,6 +1849,10 @@ typedef enum {
   /* shuffle addresses before use when DNS returns multiple */
   CINIT(DNS_SHUFFLE_ADDRESSES, LONG, 275),
 
+  /* Specify which TLS 1.3 ciphers suites to use */
+  CINIT(TLS13_CIPHERS, STRINGPOINT, 276),
+  CINIT(PROXY_TLS13_CIPHERS, STRINGPOINT, 277),
+
   CURLOPT_LASTENTRY /* the last unused */
 } CURLoption;
 
diff --git a/lib/setopt.c b/lib/setopt.c
index c1f6bd97e..93a4dd2b5 100644
--- a/lib/setopt.c
+++ b/lib/setopt.c
@@ -142,6 +142,25 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
                             va_arg(param, char *));
     break;
 
+  case CURLOPT_TLS13_CIPHERS:
+    if(Curl_ssl_tls13_ciphersuites()) {
+      /* set preferred list of TLS 1.3 cipher suites */
+      result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER13_LIST_ORIG],
+                              va_arg(param, char *));
+    }
+    else
+      return CURLE_NOT_BUILT_IN;
+    break;
+  case CURLOPT_PROXY_TLS13_CIPHERS:
+    if(Curl_ssl_tls13_ciphersuites()) {
+      /* set preferred list of TLS 1.3 cipher suites for proxy */
+      result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER13_LIST_PROXY],
+                              va_arg(param, char *));
+    }
+    else
+      return CURLE_NOT_BUILT_IN;
+    break;
+
   case CURLOPT_RANDOM_FILE:
     /*
      * This is the path name to a file that contains random data to seed
diff --git a/lib/urldata.h b/lib/urldata.h
index 9a821aa5a..f1b67c3d1 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -227,6 +227,7 @@ struct ssl_primary_config {
   char *random_file;     /* path to file containing "random" data */
   char *egdsocket;       /* path to file containing the EGD daemon socket */
   char *cipher_list;     /* list of ciphers to use */
+  char *cipher_list13;   /* list of TLS 1.3 cipher suites to use */
 };
 
 struct ssl_config_data {
@@ -1401,6 +1402,8 @@ enum dupstring {
   STRING_SSL_PINNEDPUBLICKEY_PROXY, /* public key file to verify proxy */
   STRING_SSL_CIPHER_LIST_ORIG, /* list of ciphers to use */
   STRING_SSL_CIPHER_LIST_PROXY, /* list of ciphers to use */
+  STRING_SSL_CIPHER13_LIST_ORIG, /* list of TLS 1.3 ciphers to use */
+  STRING_SSL_CIPHER13_LIST_PROXY, /* list of TLS 1.3 ciphers to use */
   STRING_SSL_EGDSOCKET,   /* path to file containing the EGD daemon socket */
   STRING_SSL_RANDOM_FILE, /* path to file containing "random" data */
   STRING_USERAGENT,       /* User-Agent string */
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index a7bbdb2fd..4a5f37060 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -166,6 +166,17 @@ static unsigned long OpenSSL_version_num(void)
 #define HAVE_KEYLOG_CALLBACK
 #endif
 
+/* Whether SSL_CTX_set_ciphersuites is available.
+ * OpenSSL: supported since 1.1.1 (commit a53b5be6a05)
+ * BoringSSL: no
+ * LibreSSL: no
+ */
+#if ((OPENSSL_VERSION_NUMBER >= 0x10101000L) && \
+     !defined(LIBRESSL_VERSION_NUMBER) &&       \
+     !defined(OPENSSL_IS_BORINGSSL))
+#define HAVE_SSL_CTX_SET_CIPHERSUITES
+#endif
+
 #if defined(LIBRESSL_VERSION_NUMBER)
 #define OSSL_PACKAGE "LibreSSL"
 #elif defined(OPENSSL_IS_BORINGSSL)
@@ -2413,6 +2424,19 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
     infof(data, "Cipher selection: %s\n", ciphers);
   }
 
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
+  {
+    char *ciphers13 = SSL_CONN_CONFIG(cipher_list13);
+    if(ciphers13) {
+      if(!SSL_CTX_set_ciphersuites(BACKEND->ctx, ciphers13)) {
+        failf(data, "failed setting TLS 1.3 cipher suite: %s", ciphers);
+        return CURLE_SSL_CIPHER;
+      }
+      infof(data, "TLS 1.3 cipher selection: %s\n", ciphers13);
+    }
+  }
+#endif
+
 #ifdef USE_TLS_SRP
   if(ssl_authtype == CURL_TLSAUTH_SRP) {
     char * const ssl_username = SSL_SET_OPTION(username);
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
index ee5bc7a0a..bf96518bc 100644
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@@ -980,6 +980,14 @@ bool Curl_ssl_false_start(void)
 }
 
 /*
+ * Check whether the SSL backend supports setting TLS 1.3 cipher suites
+ */
+bool Curl_ssl_tls13_ciphersuites(void)
+{
+  return Curl_ssl->supports & SSLSUPP_TLS13_CIPHERSUITES;
+}
+
+/*
  * Default implementations for unsupported functions.
  */
 
diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h
index e7b87c4d3..40f9d7479 100644
--- a/lib/vtls/vtls.h
+++ b/lib/vtls/vtls.h
@@ -31,6 +31,7 @@ struct ssl_connect_data;
 #define SSLSUPP_PINNEDPUBKEY (1<<2) /* supports CURLOPT_PINNEDPUBLICKEY */
 #define SSLSUPP_SSL_CTX      (1<<3) /* supports CURLOPT_SSL_CTX */
 #define SSLSUPP_HTTPS_PROXY  (1<<4) /* supports access via HTTPS proxies */
+#define SSLSUPP_TLS13_CIPHERSUITES (1<<5) /* supports TLS 1.3 ciphersuites */
 
 struct Curl_ssl {
   /*
@@ -93,6 +94,7 @@ CURLcode Curl_none_set_engine(struct Curl_easy *data, const char *engine);
 CURLcode Curl_none_set_engine_default(struct Curl_easy *data);
 struct curl_slist *Curl_none_engines_list(struct Curl_easy *data);
 bool Curl_none_false_start(void);
+bool Curl_ssl_tls13_ciphersuites(void);
 CURLcode Curl_none_md5sum(unsigned char *input, size_t inputlen,
                           unsigned char *md5sum, size_t md5len);
 
@@ -246,7 +248,7 @@ bool Curl_ssl_false_start(void);
 
 #define SSL_SHUTDOWN_TIMEOUT 10000 /* ms */
 
-#else
+#else /* if not USE_SSL */
 
 /* When SSL support is not present, just define away these function calls */
 #define Curl_ssl_init() 1
@@ -270,6 +272,7 @@ bool Curl_ssl_false_start(void);
 #define Curl_ssl_random(x,y,z) ((void)x, CURLE_NOT_BUILT_IN)
 #define Curl_ssl_cert_status_request() FALSE
 #define Curl_ssl_false_start() FALSE
+#define Curl_ssl_tls13_ciphersuites() FALSE
 #endif
 
 #endif /* HEADER_CURL_VTLS_H */
diff --git a/src/tool_cfgable.h b/src/tool_cfgable.h
index 9d995f85e..237c2bd7f 100644
--- a/src/tool_cfgable.h
+++ b/src/tool_cfgable.h
@@ -117,6 +117,8 @@ struct OperationConfig {
   struct getout *url_ul;    /* point to the node to fill in upload */
   char *cipher_list;
   char *proxy_cipher_list;
+  char *cipher13_list;
+  char *proxy_cipher13_list;
   char *cert;
   char *proxy_cert;
   char *cert_type;
diff --git a/src/tool_getparam.c b/src/tool_getparam.c
index e83373c37..a9f448112 100644
--- a/src/tool_getparam.c
+++ b/src/tool_getparam.c
@@ -201,6 +201,8 @@ static const struct LongShort aliases[]= {
   {"11",  "tlsv1.1",                 ARG_NONE},
   {"12",  "tlsv1.2",                 ARG_NONE},
   {"13",  "tlsv1.3",                 ARG_NONE},
+  {"1A", "tls13-ciphers",            ARG_STRING},
+  {"1B", "proxy-tls13-ciphers",      ARG_STRING},
   {"2",  "sslv2",                    ARG_NONE},
   {"3",  "sslv3",                    ARG_NONE},
   {"4",  "ipv4",                     ARG_NONE},
@@ -1177,6 +1179,12 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
         /* TLS version 1.3 */
         config->ssl_version = CURL_SSLVERSION_TLSv1_3;
         break;
+      case 'A': /* --tls13-ciphers */
+        GetStr(&config->cipher13_list, nextarg);
+        break;
+      case 'B': /* --proxy-tls13-ciphers */
+        GetStr(&config->proxy_cipher13_list, nextarg);
+        break;
       }
       break;
     case '2':
diff --git a/src/tool_help.c b/src/tool_help.c
index 7c4dda3b0..3218cf67d 100644
--- a/src/tool_help.c
+++ b/src/tool_help.c
@@ -160,12 +160,12 @@ static const struct helptxt helptext[] = {
    "Put the post data in the URL and use GET"},
   {"-g, --globoff",
    "Disable URL sequences and ranges using {} and []"},
-  {"    --happy-eyeballs-timeout-ms",
+  {"    --happy-eyeballs-timeout-ms <milliseconds>",
    "How long to wait in milliseconds for IPv6 before trying IPv4"},
-  {"-I, --head",
-   "Show document info only"},
   {"    --haproxy-protocol",
    "Send HAProxy PROXY protocol v1 header"},
+  {"-I, --head",
+   "Show document info only"},
   {"-H, --header <header/@file>",
    "Pass custom header(s) to server"},
   {"-h, --help",
@@ -297,7 +297,7 @@ static const struct helptxt helptext[] = {
   {"    --proxy-cert <cert[:passwd]>",
    "Set client certificate for proxy"},
   {"    --proxy-cert-type <type>",
-   "Client certificate type for HTTS proxy"},
+   "Client certificate type for HTTPS proxy"},
   {"    --proxy-ciphers <list>",
    "SSL ciphers to use for proxy"},
   {"    --proxy-crlfile <file>",
@@ -324,6 +324,8 @@ static const struct helptxt helptext[] = {
    "SPNEGO proxy service name"},
   {"    --proxy-ssl-allow-beast",
    "Allow security flaw for interop for HTTPS proxy"},
+  {"    --proxy-tls13-ciphers <ciphersuite list>",
+   "TLS 1.3 proxy cipher suites"},
   {"    --proxy-tlsauthtype <type>",
    "TLS authentication type for HTTPS proxy"},
   {"    --proxy-tlspassword <string>",
@@ -337,7 +339,7 @@ static const struct helptxt helptext[] = {
   {"    --proxy1.0 <host[:port]>",
    "Use HTTP/1.0 proxy on given port"},
   {"-p, --proxytunnel",
-   "Operate through a HTTP proxy tunnel (using CONNECT)"},
+   "Operate through an HTTP proxy tunnel (using CONNECT)"},
   {"    --pubkey <key>",
    "SSH Public key file name"},
   {"-Q, --quote",
@@ -362,7 +364,7 @@ static const struct helptxt helptext[] = {
    "Specify request command to use"},
   {"    --request-target",
    "Specify the target for this request"},
-  {"    --resolve <host:port:address>",
+  {"    --resolve <host:port:address[,address]...>",
    "Resolve the host+port to this address"},
   {"    --retry <num>",
    "Retry request if transient problems occur"},
@@ -432,6 +434,8 @@ static const struct helptxt helptext[] = {
    "Transfer based on a time condition"},
   {"    --tls-max <VERSION>",
    "Use TLSv1.0 or greater"},
+  {"    --tls13-ciphers <list of TLS 1.3 ciphersuites>",
+   "TLS 1.3 cipher suites to use"},
   {"    --tlsauthtype <type>",
    "TLS authentication type"},
   {"    --tlspassword",
diff --git a/src/tool_operate.c b/src/tool_operate.c
index 5be862228..0a1b1a48d 100644
--- a/src/tool_operate.c
+++ b/src/tool_operate.c
@@ -1216,6 +1216,13 @@ static CURLcode operate_do(struct GlobalConfig *global,
           my_setopt_str(curl, CURLOPT_PROXY_SSL_CIPHER_LIST,
                         config->proxy_cipher_list);
 
+        if(config->cipher13_list)
+          my_setopt_str(curl, CURLOPT_TLS13_CIPHERS, config->cipher13_list);
+
+        if(config->proxy_cipher13_list)
+          my_setopt_str(curl, CURLOPT_PROXY_SSL_CIPHER_LIST,
+                        config->proxy_cipher13_list);
+
         /* new in libcurl 7.9.2: */
         if(config->disable_epsv)
           /* disable it */