Changelog Development Documentation Download libcurl Mailing Lists News
cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: curl fails to negotiate TLS handshake with server unless compatible cipher suite is explicitly defined on commandline

From: Jason Strongman <jasonstrongman2016_at_gmail.com>
Date: Mon, 23 Mar 2015 10:17:47 -0500

sounds like you are using curl shipped as part of a RHEL based
distribution. curl as shipped by RHEL is compiled against libnss.
i believe the latest version of libnss that ships with RHEL 7(or it
may be fedora) supports the latest and greatest cipher suites

i resolved this by statically compiling the latest stable version of
curl against libssl. i placed the new curl binary in another
non-conflicting location on the file system

On Fri, Mar 20, 2015 at 3:15 AM, Jeff Cook <cookiecaper_at_gmail.com> wrote:
> Unfortunately I can't reveal the actual server used and I don't know
> of any other cases where this happens. I understand that may make it
> hard to test.
>
> With ./curl_stage --ciphers RC4-SHA:RC4-MD5 -vvv https://example.com -1, I get
>
>> curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
>
> With ./curl_stage --ciphers AES256 -vvv https://example.com -1, I get
>
>>* SSLv3, TLS handshake, Client hello (1):
>>* SSLv3, TLS handshake, Server hello (2):
>>* SSLv3, TLS handshake, CERT (11):
>>* SSLv3, TLS handshake, Server finished (14):
>>* SSLv3, TLS handshake, Client key exchange (16):
>>* SSLv3, TLS change cipher, Client hello (1):
>>* SSLv3, TLS handshake, Finished (20):
>>* SSLv3, TLS change cipher, Client hello (1):
>>* SSLv3, TLS handshake, Finished (20):
>>* SSL connection using AES256-SHA
>
> This is behavior is specific to one of the library's linked against
> cURL, but I'm not sure which one.
>
> All machines we have tested except for this one can connect to the
> site and behave fine with the simple curl commands above. If I execute
> curl_stage on a machine where normal curl behaves well, I get the same
> problem, so it's not a network or configuration thing.
>
> Can you help me identify the source of this issue? Shouldn't curl
> exhaust its list of potential cipher suites before the server gives up
> and sends an RST? The executable in question, statically linked with
> all necessary libs by Ermine, is attached. I know that a library is
> causing this because it happened both with the custom-built curl here
> and the curl from Ubuntu.
>
> Thanks.
>
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-users
> FAQ: http://curl.haxx.se/docs/faq.html
> Etiquette: http://curl.haxx.se/mail/etiquette.html
>
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-03-23