cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Unable to connect to TLSv1.2 host

From: Isaac Boukris <iboukris_at_gmail.com>
Date: Thu, 20 Aug 2015 09:43:46 +0300

On Wed, Aug 19, 2015 at 8:05 PM, Lenny Markus via curl-users
<curl-users_at_cool.haxx.se> wrote:
> This is a continuation of the thread I started here:
> https://github.com/bagder/curl/issues/390#issuecomment-132464361
>
> TL;DR:
> I'm unable to establish a TLSv1.2 connection from a specific machine, and
> I'm trying to troubleshoot why.
>
> Per the suggestions on that thread, I upgraded to the latest
> curl/libcurl/openssl, when that failed, I proceeded to do wireshark
> captures.
>
> I don't want to blame firewall issues right away, since I can manually
> connect from the same box using openssl s_client
>
> I have two captures here, 1) Failed with curl, 2) Success with openssl
> s_client.

Try 'ldd' on both see if there is a difference.

> This is going beyond my ability to troubleshoot, so any help would be
> greatly appreciated
>
> Capture 1: This is a failed capture from calling `curl -v
> https://ms136.slack-msgs.com`
>
> Capture file:
> https://www.dropbox.com/s/j21aoq9ehe0bt0i/failed_with_curl.cap?dl=0
>
> curl output:
> * Rebuilt URL to: https://ms136.slack-msgs.com/
> * Trying 54.175.159.82...
> * Connected to ms136.slack-msgs.com (54.175.159.82) port 443 (#0)
> * ALPN, offering http/1.1
> * Cipher selection:
> ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
> * successfully set certificate verify locations:
> * CAfile: /etc/ssl/certs/ca-certificates.crt
> CApath: none
> * TLSv1.2 (OUT), TLS header, Certificate Status (22):
> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
> * Unknown SSL protocol error in connection to ms136.slack-msgs.com:443
> * Closing connection 0
> curl: (35) Unknown SSL protocol error in connection to

Looks like the error comes from openssl, perhaps worth adding:
failf(data, "ret of SSL_connect(): %d ", err);

At:
https://github.com/bagder/curl/blob/98835eed29cd1f3451f0fb16ce1d4551a0e07df4/lib/vtls/openssl.c#L2122

> ms136.slack-msgs.com:443
>
> Capture 2: This is a successful capture from the same machine, using
> `openssl s_client -connect ms136.slack-msgs.com:443` and manually entering
> the following sequence to emulate what curl would do:
> ```
> GET / HTTP/1.1
> Host: ms136.slack-msgs.com
> User-Agent: curl/7.44.0
> Accept: */*
> ```
> Capture file:
> https://www.dropbox.com/s/6dftyx4iwitc7l7/success_with_openssl.cap?dl=0
>
> OpenSSL output:
> CONNECTED(00000003)
> depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
> verify return:1
> depth=1 C = US, O = GeoTrust Inc., CN = GeoTrust SSL CA - G3
> verify return:1
> depth=0 C = US, ST = California, L = San Francisco, O = "Slack Technologies,
> Inc.", CN = *.slack-msgs.com
> verify return:1
> ---
> Certificate chain
> 0 s:/C=US/ST=California/L=San Francisco/O=Slack Technologies,
> Inc./CN=*.slack-msgs.com
> i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
> 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
> i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
> ---
> Server certificate
> subject=/C=US/ST=California/L=San Francisco/O=Slack Technologies,
> Inc./CN=*.slack-msgs.com
> issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
> ---
> No client certificate CA names sent
> Peer signing digest: SHA512

Seen issues with modern hash algs, watch it.

> Server Temp Key: ECDH, P-256, 256 bits
> ---
> SSL handshake has read 2928 bytes and written 500 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : ECDHE-RSA-AES256-SHA384
> Session-ID:
> 55D4B1A494212D2B14C4AF0175919E0618655EA4D29BEFC5616F88AECCAB9A5E
> Session-ID-ctx:
> Master-Key:
> 9518153EFB53D7319BEECF85F6A86DD02012892DAEA8B003934675AC568CDA10B6EB1D98BB65DDA568D72F87B137989A
> Key-Arg : None
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> Start Time: 1440002468
> Timeout : 300 (sec)
> Verify return code: 0 (ok)
> ---
> GET / HTTP/1.1
> Host: ms136.slack-msgs.com
> User-Agent: curl/7.44.0
> Accept: */*
>
> HTTP/1.1 200 OK
> Content-Type: text/html; charset=UTF-8
> Content-Length: 128
>
> <html><body>Someone at Slack probably asked you to load this page to test
> your connection, and... it worked! Phew.</body></html>
>
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-users
> FAQ: http://curl.haxx.se/docs/faq.html
> Etiquette: http://curl.haxx.se/mail/etiquette.html
>
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-08-20

This message: [ Message body ]
Next message: Petr Pisar: "Re: Unable to connect to TLSv1.2 host"
Previous message: Lenny Markus via curl-users: "Unable to connect to TLSv1.2 host"
In reply to: Lenny Markus via curl-users: "Unable to connect to TLSv1.2 host"
Next in thread: Petr Pisar: "Re: Unable to connect to TLSv1.2 host"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]