Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: Error connecting to a java process with TLSv1.3
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Santos via curl-users <curl-users_at_lists.haxx.se>
Date: Thu, 19 Feb 2026 07:29:50 +0000
Hi,
Thanks for your reply.
I have made the call through https : the url is https://localhost:9433/auth/authorize

I also made the call through http : http://localhost:9433/auth/authorize

I have a connector on the jetty server that does http and that one works.
dlsa_at_besta facialrecognition % curl --trace-ascii httpreq.log 'http://localhost:9000/auth/authorize?client_id=dlsa&redirect_uri=http://localhost:9000/auth/token?code=auth_code_123’

So I have a problem with configuring jetty, that’s what I think. But I followed the instructions on their
Website so I will ask them. Because I am coding the setup and launch of the jetty server from
My Java program, I am not using it from the command line.
Thanks for your help,
Regards
> On 19 Feb 2026, at 06:43, Jeffrey Walton <noloader_at_gmail.com> wrote:
>
>
>
> On Thu, Feb 19, 2026 at 1:08 AM Daniel Santos via curl-users <curl-users_at_lists.haxx.se <mailto:curl-users_at_lists.haxx.se>> wrote:
>> Hi,
>>
>> I have a Jetty Java application server configured with SSL/TLS in which one of the versions it does is TLS v1.3.
>> It runs on Java 17 graalvm-ce-17.
>>
>> This is the output of the version command on the curl I am using (MacOS X Tahoe, home-brew version)
>>
>> dlsa_at_besta facialrecognition % /opt/homebrew/opt/curl/bin/curl -V
>> curl 8.18.0 (aarch64-apple-darwin25.2.0) libcurl/8.18.0 OpenSSL/3.6.1 zlib/1.2.12 brotli/1.2.0 zstd/1.5.7 AppleIDN libssh2/1.11.1 nghttp2/1.68.0 ngtcp2/1.20.0 nghttp3/1.15.0 mit-krb5/1.7-prerelease OpenLDAP/2.4.28/Apple
>> Release-Date: 2026-01-07
>> Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp ws wss
>> Features: alt-svc AppleSecTrust AsynchDNS brotli GSS-API HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd
>>
>> The command I run is :
>>
>> dlsa_at_besta facialrecognition % /opt/homebrew/opt/curl/bin/curl --trace-ascii httpreq.log --tlsv1.3 --cacert jettyhttpscerts/jettyhttpscertbundle.pem 'https://localhost:9433/auth/authorize'
>> curl: (35) TLS connect error: error:0A000126:SSL routines::unexpected eof while reading
>>
>> The contents of the call’s log file is attached.
>>
>> In the log file there is the last bit that is sent before the disconnect :
>>
>> => Send SSL data, 5 bytes (0x5)
>> 0000: .....
>> * TLSv1.3 (OUT), TLS alert, decode error (562):
>>
>> Which I suspected that, because the java server has a certificate signed through a CA certificate that I generated,
>> Curl needs the option --cacert jettyhttpscerts/jettyhttpscertbundle.pem to tell it to use the certificate in the trust chain
>> That is coming from the server.
>>
>> If not it will throw the decode error. That was what was happening also before I put the —caret option.
>> But with the option I get the same error.
>> So I am not sure if its related to the server certificate being generated by me.
>>
>> Could anyone shed some light into this ?
>
> It sounds like (to me) the server at localhost:9433 is _not_ serving pages over TLS. The TLS handshake is not occuring, and ASCII data from http is being served. Can you connect to localhost:9433 using https with a browser?
>
> Jeff
Date: Thu, 19 Feb 2026 07:29:50 +0000
Hi,
Thanks for your reply.
I have made the call through https : the url is https://localhost:9433/auth/authorize

I also made the call through http : http://localhost:9433/auth/authorize

I have a connector on the jetty server that does http and that one works.
dlsa_at_besta facialrecognition % curl --trace-ascii httpreq.log 'http://localhost:9000/auth/authorize?client_id=dlsa&redirect_uri=http://localhost:9000/auth/token?code=auth_code_123’

So I have a problem with configuring jetty, that’s what I think. But I followed the instructions on their
Website so I will ask them. Because I am coding the setup and launch of the jetty server from
My Java program, I am not using it from the command line.
Thanks for your help,
Regards
> On 19 Feb 2026, at 06:43, Jeffrey Walton <noloader_at_gmail.com> wrote:
>
>
>
> On Thu, Feb 19, 2026 at 1:08 AM Daniel Santos via curl-users <curl-users_at_lists.haxx.se <mailto:curl-users_at_lists.haxx.se>> wrote:
>> Hi,
>>
>> I have a Jetty Java application server configured with SSL/TLS in which one of the versions it does is TLS v1.3.
>> It runs on Java 17 graalvm-ce-17.
>>
>> This is the output of the version command on the curl I am using (MacOS X Tahoe, home-brew version)
>>
>> dlsa_at_besta facialrecognition % /opt/homebrew/opt/curl/bin/curl -V
>> curl 8.18.0 (aarch64-apple-darwin25.2.0) libcurl/8.18.0 OpenSSL/3.6.1 zlib/1.2.12 brotli/1.2.0 zstd/1.5.7 AppleIDN libssh2/1.11.1 nghttp2/1.68.0 ngtcp2/1.20.0 nghttp3/1.15.0 mit-krb5/1.7-prerelease OpenLDAP/2.4.28/Apple
>> Release-Date: 2026-01-07
>> Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp ws wss
>> Features: alt-svc AppleSecTrust AsynchDNS brotli GSS-API HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd
>>
>> The command I run is :
>>
>> dlsa_at_besta facialrecognition % /opt/homebrew/opt/curl/bin/curl --trace-ascii httpreq.log --tlsv1.3 --cacert jettyhttpscerts/jettyhttpscertbundle.pem 'https://localhost:9433/auth/authorize'
>> curl: (35) TLS connect error: error:0A000126:SSL routines::unexpected eof while reading
>>
>> The contents of the call’s log file is attached.
>>
>> In the log file there is the last bit that is sent before the disconnect :
>>
>> => Send SSL data, 5 bytes (0x5)
>> 0000: .....
>> * TLSv1.3 (OUT), TLS alert, decode error (562):
>>
>> Which I suspected that, because the java server has a certificate signed through a CA certificate that I generated,
>> Curl needs the option --cacert jettyhttpscerts/jettyhttpscertbundle.pem to tell it to use the certificate in the trust chain
>> That is coming from the server.
>>
>> If not it will throw the decode error. That was what was happening also before I put the —caret option.
>> But with the option I get the same error.
>> So I am not sure if its related to the server certificate being generated by me.
>>
>> Could anyone shed some light into this ?
>
> It sounds like (to me) the server at localhost:9433 is _not_ serving pages over TLS. The TLS handshake is not occuring, and ASCII data from http is being served. Can you connect to localhost:9433 using https with a browser?
>
> Jeff
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2026-02-19