Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Error connecting to a java process with TLSv1.3
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Santos via curl-users <curl-users_at_lists.haxx.se>
Date: Wed, 18 Feb 2026 21:47:11 +0000
Hi,
I have a Jetty Java application server configured with SSL/TLS in which one of the versions it does is TLS v1.3.
It runs on Java 17 graalvm-ce-17.
This is the output of the version command on the curl I am using (MacOS X Tahoe, home-brew version)
dlsa_at_besta facialrecognition % /opt/homebrew/opt/curl/bin/curl -V
curl 8.18.0 (aarch64-apple-darwin25.2.0) libcurl/8.18.0 OpenSSL/3.6.1 zlib/1.2.12 brotli/1.2.0 zstd/1.5.7 AppleIDN libssh2/1.11.1 nghttp2/1.68.0 ngtcp2/1.20.0 nghttp3/1.15.0 mit-krb5/1.7-prerelease OpenLDAP/2.4.28/Apple
Release-Date: 2026-01-07
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp ws wss
Features: alt-svc AppleSecTrust AsynchDNS brotli GSS-API HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd
The command I run is :
dlsa_at_besta facialrecognition % /opt/homebrew/opt/curl/bin/curl --trace-ascii httpreq.log --tlsv1.3 --cacert jettyhttpscerts/jettyhttpscertbundle.pem 'https://localhost:9433/auth/authorize'
curl: (35) TLS connect error: error:0A000126:SSL routines::unexpected eof while reading
The contents of the call’s log file is attached.
In the log file there is the last bit that is sent before the disconnect :
=> Send SSL data, 5 bytes (0x5)
0000: .....
* TLSv1.3 (OUT), TLS alert, decode error (562):
Which I suspected that, because the java server has a certificate signed through a CA certificate that I generated,
Curl needs the option --cacert jettyhttpscerts/jettyhttpscertbundle.pem to tell it to use the certificate in the trust chain
That is coming from the server.
If not it will throw the decode error. That was what was happening also before I put the —caret option.
But with the option I get the same error.
So I am not sure if its related to the server certificate being generated by me.
Could anyone shed some light into this ?
Thanks,
Regards
Received on 2026-02-19
Date: Wed, 18 Feb 2026 21:47:11 +0000
Hi,
I have a Jetty Java application server configured with SSL/TLS in which one of the versions it does is TLS v1.3.
It runs on Java 17 graalvm-ce-17.
This is the output of the version command on the curl I am using (MacOS X Tahoe, home-brew version)
dlsa_at_besta facialrecognition % /opt/homebrew/opt/curl/bin/curl -V
curl 8.18.0 (aarch64-apple-darwin25.2.0) libcurl/8.18.0 OpenSSL/3.6.1 zlib/1.2.12 brotli/1.2.0 zstd/1.5.7 AppleIDN libssh2/1.11.1 nghttp2/1.68.0 ngtcp2/1.20.0 nghttp3/1.15.0 mit-krb5/1.7-prerelease OpenLDAP/2.4.28/Apple
Release-Date: 2026-01-07
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp ws wss
Features: alt-svc AppleSecTrust AsynchDNS brotli GSS-API HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd
The command I run is :
dlsa_at_besta facialrecognition % /opt/homebrew/opt/curl/bin/curl --trace-ascii httpreq.log --tlsv1.3 --cacert jettyhttpscerts/jettyhttpscertbundle.pem 'https://localhost:9433/auth/authorize'
curl: (35) TLS connect error: error:0A000126:SSL routines::unexpected eof while reading
The contents of the call’s log file is attached.
In the log file there is the last bit that is sent before the disconnect :
=> Send SSL data, 5 bytes (0x5)
0000: .....
* TLSv1.3 (OUT), TLS alert, decode error (562):
Which I suspected that, because the java server has a certificate signed through a CA certificate that I generated,
Curl needs the option --cacert jettyhttpscerts/jettyhttpscertbundle.pem to tell it to use the certificate in the trust chain
That is coming from the server.
If not it will throw the decode error. That was what was happening also before I put the —caret option.
But with the option I get the same error.
So I am not sure if its related to the server certificate being generated by me.
Could anyone shed some light into this ?
Thanks,
Regards
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
- application/octet-stream attachment: httpreq.log