Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: SSL connect error
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Thierry Huchard via curl-library <curl-library_at_lists.haxx.se>
Date: Mon, 13 Dec 2021 15:28:41 +0100
Le 2021-12-13 15:06, Cristian Rodríguez a écrit :
> On Sun, Dec 12, 2021 at 4:24 PM Thierry Huchard via curl-library
> <curl-library_at_lists.haxx.se> wrote:
>
>> But with "--tls-max 1.0" or "--tls-max 1.1", curl can connect to XK90.
>> With "--tls-max 1.2" and "--tls-max 1.3", curl returns the same error
>> described above
>
> ok.. then curl_easy_setopt() CURL_SSLVERSION_TLSv1_1... either the
> target system chokes with openssl's tls negotiation (i.e system is
> hosed) or the most likely scenario is that opennsl refuses to offer
> obsolete ciphersuites or imposes extra constraints when using tls 1.2.
>
> Use the suggested workaround or contact the device manufacturer for a
> firmware update.
I am the maintainer of the canon_pixma backend for Canon scanners, it is
based on Canon binary.
I opened a ticket with them, several months ago, here is the answer
received this morning:
//////////////////////// Canon Europe ///////////////////////////////
RE: Canon Developer Programme New Support Call 00763131
De Canon Developer Support
Date Aujourd’hui 11:38
Corps du courriel
Hi Thierry,
Unfortunately I have not been able to make any progress with your
questions.
Therefore I have to close the support call.
We are sorry we were unable to assist you on this occasion.
Best wishes,
Nick
//////////////////////// End Canon Europe
///////////////////////////////
Ask them to update a firmware, it will be complicated ...
I'll go with this workaround:
| static int proto_tls[] = {
| CURL_SSLVERSION_MAX_DEFAULT,
| CURL_SSLVERSION_MAX_TLSv1_3,
| CURL_SSLVERSION_MAX_TLSv1_2,
| CURL_SSLVERSION_MAX_TLSv1_1,
| CURL_SSLVERSION_MAX_TLSv1_0,
| -1
| };
|
| static int
| escl_tls_protocol_supported(char *url, int proto)
| {
| CURLcode res = CURLE_UNSUPPORTED_PROTOCOL;
| CURL *curl = curl_easy_init();
| if(curl) {
| curl_easy_setopt(curl, CURLOPT_URL, url);
|
| /* ask libcurl to use TLS version 1.0 or later */
| curl_easy_setopt(curl, CURLOPT_SSLVERSION, proto);
| curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
| curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L);
| curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L);
| curl_easy_setopt(curl, CURLOPT_MAXREDIRS, 3L);
| /* Perform the request */
| res = curl_easy_perform(curl);
| curl_easy_cleanup(curl);
| }
| return res;
| }
|
| static int
| escl_is_tls(char * url)
| {
| int tls_version = 0;
| if(!strcmp(type, "_uscans._tcp") ||
| !strcmp(type, "https"))
| {
| while(proto_tls[tls_version] != -1)
| {
| if (escl_tls_protocol_supported(url,
proto_tls[tls_version]) == CURLE_OK)
| {
| DBG(10, "curl tls compatible (%d)\n",
proto_tls[tls_version]);
| break;
| }
| tls_version++;
| }
| if (proto_tls[tls_version] == -1)
| return 0;
| }
| return tls_version;
| }
|
Thank you all for your answers!
Thierry
Date: Mon, 13 Dec 2021 15:28:41 +0100
Le 2021-12-13 15:06, Cristian Rodríguez a écrit :
> On Sun, Dec 12, 2021 at 4:24 PM Thierry Huchard via curl-library
> <curl-library_at_lists.haxx.se> wrote:
>
>> But with "--tls-max 1.0" or "--tls-max 1.1", curl can connect to XK90.
>> With "--tls-max 1.2" and "--tls-max 1.3", curl returns the same error
>> described above
>
> ok.. then curl_easy_setopt() CURL_SSLVERSION_TLSv1_1... either the
> target system chokes with openssl's tls negotiation (i.e system is
> hosed) or the most likely scenario is that opennsl refuses to offer
> obsolete ciphersuites or imposes extra constraints when using tls 1.2.
>
> Use the suggested workaround or contact the device manufacturer for a
> firmware update.
I am the maintainer of the canon_pixma backend for Canon scanners, it is
based on Canon binary.
I opened a ticket with them, several months ago, here is the answer
received this morning:
//////////////////////// Canon Europe ///////////////////////////////
RE: Canon Developer Programme New Support Call 00763131
De Canon Developer Support
Date Aujourd’hui 11:38
Corps du courriel
Hi Thierry,
Unfortunately I have not been able to make any progress with your
questions.
Therefore I have to close the support call.
We are sorry we were unable to assist you on this occasion.
Best wishes,
Nick
//////////////////////// End Canon Europe
///////////////////////////////
Ask them to update a firmware, it will be complicated ...
I'll go with this workaround:
| static int proto_tls[] = {
| CURL_SSLVERSION_MAX_DEFAULT,
| CURL_SSLVERSION_MAX_TLSv1_3,
| CURL_SSLVERSION_MAX_TLSv1_2,
| CURL_SSLVERSION_MAX_TLSv1_1,
| CURL_SSLVERSION_MAX_TLSv1_0,
| -1
| };
|
| static int
| escl_tls_protocol_supported(char *url, int proto)
| {
| CURLcode res = CURLE_UNSUPPORTED_PROTOCOL;
| CURL *curl = curl_easy_init();
| if(curl) {
| curl_easy_setopt(curl, CURLOPT_URL, url);
|
| /* ask libcurl to use TLS version 1.0 or later */
| curl_easy_setopt(curl, CURLOPT_SSLVERSION, proto);
| curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
| curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L);
| curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L);
| curl_easy_setopt(curl, CURLOPT_MAXREDIRS, 3L);
| /* Perform the request */
| res = curl_easy_perform(curl);
| curl_easy_cleanup(curl);
| }
| return res;
| }
|
| static int
| escl_is_tls(char * url)
| {
| int tls_version = 0;
| if(!strcmp(type, "_uscans._tcp") ||
| !strcmp(type, "https"))
| {
| while(proto_tls[tls_version] != -1)
| {
| if (escl_tls_protocol_supported(url,
proto_tls[tls_version]) == CURLE_OK)
| {
| DBG(10, "curl tls compatible (%d)\n",
proto_tls[tls_version]);
| break;
| }
| tls_version++;
| }
| if (proto_tls[tls_version] == -1)
| return 0;
| }
| return tls_version;
| }
|
Thank you all for your answers!
Thierry
-- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.htmlReceived on 2021-12-13