cURL / Mailing Lists / curl-users / Single Mail


Re: curl fails to negotiate TLS handshake with server unless compatible cipher suite is explicitly defined on commandline

From: Jason Strongman <>
Date: Mon, 23 Mar 2015 10:17:47 -0500

sounds like you are using curl shipped as part of a RHEL based
distribution. curl as shipped by RHEL is compiled against libnss.
i believe the latest version of libnss that ships with RHEL 7(or it
may be fedora) supports the latest and greatest cipher suites

i resolved this by statically compiling the latest stable version of
curl against libssl. i placed the new curl binary in another
non-conflicting location on the file system

On Fri, Mar 20, 2015 at 3:15 AM, Jeff Cook <> wrote:
> Unfortunately I can't reveal the actual server used and I don't know
> of any other cases where this happens. I understand that may make it
> hard to test.
> With ./curl_stage --ciphers RC4-SHA:RC4-MD5 -vvv -1, I get
>> curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
> With ./curl_stage --ciphers AES256 -vvv -1, I get
>>* SSLv3, TLS handshake, Client hello (1):
>>* SSLv3, TLS handshake, Server hello (2):
>>* SSLv3, TLS handshake, CERT (11):
>>* SSLv3, TLS handshake, Server finished (14):
>>* SSLv3, TLS handshake, Client key exchange (16):
>>* SSLv3, TLS change cipher, Client hello (1):
>>* SSLv3, TLS handshake, Finished (20):
>>* SSLv3, TLS change cipher, Client hello (1):
>>* SSLv3, TLS handshake, Finished (20):
>>* SSL connection using AES256-SHA
> This is behavior is specific to one of the library's linked against
> cURL, but I'm not sure which one.
> All machines we have tested except for this one can connect to the
> site and behave fine with the simple curl commands above. If I execute
> curl_stage on a machine where normal curl behaves well, I get the same
> problem, so it's not a network or configuration thing.
> Can you help me identify the source of this issue? Shouldn't curl
> exhaust its list of potential cipher suites before the server gives up
> and sends an RST? The executable in question, statically linked with
> all necessary libs by Ermine, is attached. I know that a library is
> causing this because it happened both with the custom-built curl here
> and the curl from Ubuntu.
> Thanks.
> -------------------------------------------------------------------
> List admin:
> FAQ:
> Etiquette:
List admin:
Received on 2015-03-23