Changelog Development Documentation Download libcurl Mailing Lists News
cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

From: Nick Zitzmann <nick_at_chronosnet.com>
Date: Sat, 22 Nov 2014 13:05:47 -0600

> On Nov 22, 2014, at 9:51 AM, Igor Zhbanov <izh1979_at_gmail.com> wrote:
>
> I have upgraded my server to OpenSuSE-13.2 and got following error:
>
> $ curl -v https://www.whatwg.org/
>
> * Hostname was NOT found in DNS cache
> * Trying 208.113.236.128...
> * Connected to www.whatwg.org (208.113.236.128) port 443 (#0)
> * successfully set certificate verify locations:
> * CAfile: none
> CApath: /etc/ssl/certs/
> * SSLv3, TLS handshake, Client hello (1):
> * SSLv3, TLS alert, Server hello (2):
> * error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
> handshake failure
> * Closing connection 0
> curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
> alert handshake failure
>
> Is this problem with web-site's settings or with curl cyphers options?

Probably the former. I wasn't able to connect to your site with OpenSSL, either, but I was able to connect on my Mac with SecureTransport (Apple's engine):

% curl --version
curl 7.37.1 (x86_64-apple-darwin14.0) libcurl/7.37.1 SecureTransport zlib/1.2.5
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IPv6 Largefile NTLM NTLM_WB SSL libz
% curl -v https://www.whatwg.org/
* Hostname was NOT found in DNS cache
* Trying 208.113.236.128...
* Connected to www.whatwg.org (208.113.236.128) port 443 (#0)
* TLS 1.0 connection using TLS_RSA_WITH_RC4_128_SHA
[...]

That cipher-suite is bad news; see <https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what> for more information. If you can't make it support TLS 1.1 or 1.2, then you ought to at least make it able to support AES-CBC if you haven't already, and deprecate or remove RC4. And turn off SSLv3 support if you have it turned on.

Nick Zitzmann
<http://www.chronosnet.com/>

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-11-22