cURL / Mailing Lists / curl-users / Single Mail

curl-users

SOLUTION : FTPS session failure - SSLv3, TLS :- Unknown SSL protocol error in connection to 159.1.1.1:21

From: J4 <junk4_at_klunky.co.uk>
Date: Wed, 13 Oct 2010 15:15:25 +0200

>
>> Dear All,
>>
>> This morning our curl FTPS session failed with the error message:
>>
>> * SSLv3, TLS handshake, Client hello (1):
>> * Unknown SSL protocol error in connection to 123.1.1.1:21
>> * Closing connection #0
>> curl: (35) Unknown SSL protocol error in connection to 123.1.1.1:21
>>
>> The full command is: (Real IP and username/password strings replaced).
>> # curl -v -s -S -k --ftp-pasv --ftp-skip-pasv-ip --ftp-ssl
>> --ftp-ssl-ccc -u NNN:NNN ftp://123.1.1.1:21
>>
>> I searched a little and found that this could be caused by one of
>> these (but perhaps something else):-
>>
>> * The Destination Site Does Not Like the Protocol
>> * The Destination Site Does Not Like the Cipher
>> * The SSL Private Key Has Expired
>>
>>
>> I looked in /etc/ssl/certs and could not see any particular keys for
>> this site we are sending to. From the curl command I cannot see any
>> reference to call a specific SSL key, so wonder if we are even using one.
>>
>> I did an strace to try and see what it was opening, but saw nothing:-
>> # strace -fF curl -v -s -S -k --ftp-pasv --ftp-skip-pasv-ip --ftp-ssl
>> --ftp-ssl-ccc -u NNN:NNN ftp://123.1.1.1:21 2>&1 | grep open
>>
>>
>> The third party server we send files to is a government office, and we
>> shall be penalised for delivery failures. Obviously, I am under a
>> little stress. I have contacted said government dept., asking them
>> whether anything has changed, but don't expect to hear a lot since
>> their Helpdesk takes 24 hours to respond. Long live the government
>> and taxation . . .
>>
>> I am at a loss. Can someone suggest how I could identify this problem.
>>
>> Best regards, J.
>>
>>
>> Appendix:
>> The full command and results are here:
>> # curl -v -s -S -k --ftp-pasv --ftp-skip-pasv-ip --ftp-ssl
>> --ftp-ssl-ccc -u NNN:NNN ftp://123.1.1.1:21 -T xn112_13102010.csv.gz.gpg
>> * About to connect() to 123.1.1.1 port 21 (#0)
>> * Trying 123.1.1.1... connected
>> * Connected to 123.1.1.1 (123.1.1.1) port 21 (#0)
>> < 220-Security Notice
>> < 220-You are about to access a secured resource. NNN Aanbieders Portaal
>> < 220-reserves the right to monitor and/or limit access to this
>> resource at
>> < 220 any time.
>>
>>> AUTH SSL
>>>
>> < 234 SSL enabled start the negotiation
>> * successfully set certificate verify locations:
>> * CAfile: none
>> CApath: /etc/ssl/certs/
>> * SSLv3, TLS handshake, Client hello (1):
>> } [data not shown]
>> * Unknown SSL protocol error in connection to 123.1.1.1:21
>> * Closing connection #0
>> curl: (35) Unknown SSL protocol error in connection to 123.1.1.1:21
>>
>>
>>
>> -------------------------------------------------------------------
>> List admin: http://cool.haxx.se/list/listinfo/curl-users
>> FAQ: http://curl.haxx.se/docs/faq.html
>> Etiquette: http://curl.haxx.se/mail/etiquette.html
>>
>>
> I forgot to mention the version numbers of curl & openssl, uname, etc in
> case this helps, but I doubt this'll help because nothing has changed in
> the past year.
>
> # curl --version
> curl 7.19.0 (i686-suse-linux-gnu) libcurl/7.19.0 OpenSSL/0.9.8h
> zlib/1.2.3 libidn/1.10
> Protocols: tftp ftp telnet dict ldap http file https ftps
> Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz
>
> # rpm -qv libcurl4
> libcurl4-7.19.0-11.20
>
> # openssl
> OpenSSL> version
> OpenSSL 0.9.8h 28 May 2008
>
> # uname -a
> Linux a446 2.6.27.19-5-pae #1 SMP 2009-02-28 04:40:21 +0100 i686 i686
> i386 GNU/Linux
> SLES 11.0 i586
>
Reason: The site SSL key had expired.
Solution: Asked the owner of the server to renew the SSL cert.
Problem solved.
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2010-10-13