curl-users
Unable to connect to TLSv1.2 host
Date: Wed, 19 Aug 2015 17:05:17 +0000 (UTC)
This is a continuation of the thread I started here:https://github.com/bagder/curl/issues/390#issuecomment-132464361
TL;DR:I'm unable to establish a TLSv1.2 connection from a specific machine, and I'm trying to troubleshoot why.
Per the suggestions on that thread, I upgraded to the latest curl/libcurl/openssl, when that failed, I proceeded to do wireshark captures.
I don't want to blame firewall issues right away, since I can manually connect from the same box using openssl s_client
I have two captures here, 1) Failed with curl, 2) Success with openssl s_client.
This is going beyond my ability to troubleshoot, so any help would be greatly appreciated
Capture 1: This is a failed capture from calling `curl -v https://ms136.slack-msgs.com`
Capture file:
https://www.dropbox.com/s/j21aoq9ehe0bt0i/failed_with_curl.cap?dl=0
curl output:* Rebuilt URL to: https://ms136.slack-msgs.com/
* Trying 54.175.159.82...
* Connected to ms136.slack-msgs.com (54.175.159.82) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to ms136.slack-msgs.com:443
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to ms136.slack-msgs.com:443
Capture 2: This is a successful capture from the same machine, using `openssl s_client -connect ms136.slack-msgs.com:443` and manually entering the following sequence to emulate what curl would do:```GET / HTTP/1.1
Host: ms136.slack-msgs.com
User-Agent: curl/7.44.0
Accept: */*```Capture file:
https://www.dropbox.com/s/6dftyx4iwitc7l7/success_with_openssl.cap?dl=0
OpenSSL output:CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = GeoTrust Inc., CN = GeoTrust SSL CA - G3
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "Slack Technologies, Inc.", CN = *.slack-msgs.com
verify return:1
--- Certificate chain 0 s:/C=US/ST=California/L=San Francisco/O=Slack Technologies, Inc./CN=*.slack-msgs.com i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA --- Server certificate -----BEGIN CERTIFICATE----- MIIE+jCCA+KgAwIBAgIQVtr0TXq3eGAn3OTB9AXfNjANBgkqhkiG9w0BAQsFADBE MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UEAxMU R2VvVHJ1c3QgU1NMIENBIC0gRzMwHhcNMTUwNDE3MDAwMDAwWhcNMTcwNDE2MjM1 OTU5WjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UE BwwNU2FuIEZyYW5jaXNjbzEhMB8GA1UECgwYU2xhY2sgVGVjaG5vbG9naWVzLCBJ bmMuMRkwFwYDVQQDDBAqLnNsYWNrLW1zZ3MuY29tMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAuRTjOTwZwkyZVzgtRZq1Y4Kn/hD7Lqr2ngWcJyFzmdXH CxPKufvFsLA/V8MmaQH4gRC4BqZULeUI9foGkEr6yvANbfeC/H1GHAg20zz6kg8K eNWbyPnGMgOxVDZ6UGRMTanSAa/cGt+C53c01Ds+nqAv7BLNaN7IqT/mNH+W0SE+ u/9Jsrl6dwih/RAzzNGZfTTVQ7GMvJxR9BJV0H5YyjKcvs2qsmwTuZK+Mca6qf8j tR0w353c2ZLdBPEVasYeiMeJbc+PASF4ybvvzRzyAO3CVMXlxe+OuPrI49A8Eyjd VVlRQP2g737X2vxytDtZfM4YN/2LH5XYRoThwgP1QQIDAQABo4IBsjCCAa4wKwYD VR0RBCQwIoIQKi5zbGFjay1tc2dzLmNvbYIOc2xhY2stbXNncy5jb20wCQYDVR0T BAIwADAOBgNVHQ8BAf8EBAMCBaAwKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDovL2du LnN5bWNiLmNvbS9nbi5jcmwwgZ0GA1UdIASBlTCBkjCBjwYGZ4EMAQICMIGEMD8G CCsGAQUFBwIBFjNodHRwczovL3d3dy5nZW90cnVzdC5jb20vcmVzb3VyY2VzL3Jl cG9zaXRvcnkvbGVnYWwwQQYIKwYBBQUHAgIwNQwzaHR0cHM6Ly93d3cuZ2VvdHJ1 c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5L2xlZ2FsMB0GA1UdJQQWMBQGCCsG AQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBTSb/eW9IU/cjwwfSPahXibo3xa fDBXBggrBgEFBQcBAQRLMEkwHwYIKwYBBQUHMAGGE2h0dHA6Ly9nbi5zeW1jZC5j b20wJgYIKwYBBQUHMAKGGmh0dHA6Ly9nbi5zeW1jYi5jb20vZ24uY3J0MA0GCSqG SIb3DQEBCwUAA4IBAQB54B+WwpATiJSXE6Wa2dh3yVtUH21OWRPdBG8ty5t80nGO tZ+lDWDinrmuUmm/yhdiSB9rJFI49bvtphYqTu0FBRxK2HuwfL+oFigoFBFPGcKh nX5aUcbzicekyOLIgRgZENTBSCESpcdw8sm4Q+rJzV2XvdmZpMrtC3/m4jzQbXOh 5NE+lqdMS7R/9H1BubWe6RNXiLzzAeBMM3Oa/S8M1JjOkezvjLHvH5FhRHwiipNA UPuLBoxYKTj6MP23sG32c8AfUbGrKWKnxyGekB7YRnltgYcmUIuCeQO5Y7UjpsZH 6x7XnCqm3UI6h7Ux6fcXxmOVtPK7GJd5SHWndrh3 -----END CERTIFICATE----- subject=/C=US/ST=California/L=San Francisco/O=Slack Technologies, Inc./CN=*.slack-msgs.com issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3 --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 2928 bytes and written 500 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-SHA384 Session-ID: 55D4B1A494212D2B14C4AF0175919E0618655EA4D29BEFC5616F88AECCAB9A5E Session-ID-ctx: Master-Key: 9518153EFB53D7319BEECF85F6A86DD02012892DAEA8B003934675AC568CDA10B6EB1D98BB65DDA568D72F87B137989A Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1440002468 Timeout : 300 (sec) Verify return code: 0 (ok) --- GET / HTTP/1.1 Host: ms136.slack-msgs.com User-Agent: curl/7.44.0 Accept: */* HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 Content-Length: 128 <html><body>Someone at Slack probably asked you to load this page to test your connection, and... it worked! Phew.</body></html>
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-08-20