SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
Date: Mon, 27 Apr 2020 16:27:09 -0300
Hi. I'm getting `SSL routines:ssl3_read_bytes:sslv3 alert handshake
failure` like in:
```console
$ curl --location 'https://www.upward.net/'
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert
handshake failure
```
```console
$ curl --version
curl 7.68.0 (x86_64-pc-linux-gnu) libcurl/7.68.0 OpenSSL/1.1.1f
zlib/1.2.11 brotli/1.0.7 libidn2/2.3.0 libpsl/0.21.0 (+libidn2/2.3.0)
libssh2/1.8.0 nghttp2/1.40.0 librtmp/2.3
Release-Date: 2020-01-08
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps
pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos
Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets
```
However, the request works in another machine with a previous curl version:
```console
$ curl -v --location 'https://www.upward.net/'
* Trying 67.227.172.39...
* TCP_NODELAY set
* Connected to www.upward.net (67.227.172.39) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: OU=Domain Control Validated; CN=*.upward.net
* start date: Oct 1 19:35:26 2019 GMT
* expire date: Oct 1 19:35:26 2021 GMT
* subjectAltName: host "www.upward.net" matched cert's "*.upward.net"
* issuer: C=US; ST=Arizona; L=Scottsdale; O=GoDaddy.com, Inc.;
OU=http://certs.godaddy.com/repository/; CN=Go Daddy Secure Certificate
Authority - G2
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: www.upward.net
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9
PHP/5.4.16
< Cache-Control: max-age=0, no-cache, no-store, must-revalidate
< Content-Type: text/html; charset=UTF-8
< Date: Mon, 27 Apr 2020 19:24:52 GMT
< Expires: Wed, 11 Jan 1984 05:00:00 GMT
< Pragma: no-cache
< Accept-Ranges: bytes
< Set-Cookie: X-Mapping-mekbfdgo=8329592ED46A049589C98F1F7BBDEC41; path=/
< Last-Modified: Mon, 06 Apr 2020 23:53:11 GMT
< X-Frame-Options: ALLOWALL
< Content-Length: 5540
<
<!doctype html><html lang="en">
[...]
```
```console
$ curl --version
curl 7.58.0 (x86_64-pc-linux-gnu) libcurl/7.58.0 OpenSSL/1.1.1
zlib/1.2.11 libidn2/2.0.4 libpsl/0.19.1 (+libidn2/2.0.4) nghttp2/1.30.0
librtmp/2.3
Release-Date: 2018-01-24
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps
pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM
NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL
```
So, I've tried a lot of combinations that resulted in the command `curl
-v --no-alpn --no-npn --tlsv1.2 --tls-max 1.2 --ciphers
AES128-GCM-SHA256 'https://www.upward.net/'`, but it didn't work.
-- Att, Tobias "If technology does not liberate all people for the pursuit of higher aspirations in human achievement, then all it's technical potential will be meaningless." - Jacque Fresco
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/etiquette.html
- application/pgp-signature attachment: OpenPGP digital signature