curl-library
Re: Unknown SSL protocol error in connection
Date: Mon, 24 Nov 2008 17:15:27 -0800
OK I sorted out the issue with SSL and now I get a proper failure.
command line:
--trace-ascii -k --cacert /app_home/mycert.pem --url
https://www.fortify.net/sslcheck.html
TTY:
------------------------------------------------------
= Info: Trying 64.202.169.234... == Info: connected
== Info: Connected to www.fortify.net (64.202.169.234) port 443 (#0)
== Info: libcurl is now using a weak random seed!
== Info: successfully set certificate verify locations:
== Info: CAfile: /app_home/mycert.pem
CApath: none
== Info: SSLv3, TLS handshake, Client hello (1):
=> Send SSL data, 83 bytes (0x53)
0000: ...O..D...59.(..F.....I.dPE..H.b.'d.....(.9.8.5.......3.2./.....
0040: ...................
== Info: SSLv3, TLS handshake, Server hello (2):
<= Recv SSL data, 74 bytes (0x4a)
0000: ...F..I+P...F.}.V.3{H...n..J...."J..}. bBnP...A8R_.H...>...F.[..
0040: Q.1.....9.
== Info: SSLv3, TLS handshake, CERT (11):
<= Recv SSL data, 3788 bytes (0xecc)
0000: ..........0...0............,:0...*.H........0..1.0...U....US1.0.
0040: ..U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.1
0080: 301..U...*http://certificates.godaddy.com/repository100...U...'G
00c0: o Daddy Secure Certification Authority1.0...U....079692870...081
0100: 123033003Z..100104061709Z0W1.0...U....www.fortify.net1.0...U....
0140: www.fortify.net1!0...U....Domain Control Validated0..0...*.H....
0180: ........0............%:...q..H..k.......^'. .w..ur04............
01c0: 1.AJf..........g.....g.....o."........>X.S...4B.4.........4...0.
0200: .Y.vE.G..s"c"...........0...0...U.......0....0...U.%..0...+.....
0240: ....+.......0...U...........02..U...+0)0'.%.#.!http://crl.godadd
0280: y.com/gds1-0.crl0S..U. .L0J0H..`.H...m....0907..+........+http:/
02c0: /certificates.godaddy.com/repository/0....+........t0r0$..+.....
0300: 0...http://ocsp.godaddy.com/0J..+.....0..>http://certificates.go
0340: daddy.com/repository/gd_intermediate.crt0...U.#..0.....a2.lE....
0380: _...v.h..0'..U... 0...www.fortify.net..fortify.net0...U.......X.
03c0: >...3..9.....[..C0...*.H..............P(...U....%.%+..up......,.
0400: .b1O..NUKo..d8.{*.L...a...vhF..M.f..^.o9w....#.>|.d.,...8....`..
0440: .....P..Le......Yq.eD.E.R....;=.`..@.|..H.7-"\?. ;._.s...y..%...
0480: ...5.I.U.......!HIKb}...>"..]...M.....6.\~T,..u1b..<...|.!Y..c..
04c0: ..6......d.K.zde..@[...............vt...0...0............0...*.H
0500: ........0c1.0...U....US1!0...U....The Go Daddy Group, Inc.110/..
0540: U...(Go Daddy Class 2 Certification Authority0...061116015437Z..
0580: 261116015437Z0..1.0...U....US1.0...U....Arizona1.0...U....Scotts
05c0: dale1.0...U....GoDaddy.com, Inc.1301..U...*http://certificates.g
0600: odaddy.com/repository100...U...'Go Daddy Secure Certification Au
0640: thority1.0...U....079692870.."0...*.H.............0.........-...
0680: .&L.25._.Y.Z.a.Y;pc...=.*..3.y.:.<0#...0.....=.T......%.!.e)~5..
06c0: T...29.&U.....X.......*..B...?.......R.if....].,f..k...QJ./H..u.
0700: .)...fm.....x|........z....%.....enj..DSp0...+X+=.tJ..Q....L'Xk.
0740: 5....1......6.....:.%..I...g.E....9.6..~.7...q..t0.....?..O.....
0780: ...20...0...U........a2.lE...._...v.h..0...U.#..0.........L.q.a.
07c0: =....j..0...U.......0.......03..+........'0%0#..+.....0...http:/
0800: /ocsp.godaddy.com0F..U...?0=0;.9.7.5http://certificates.godaddy.
0840: com/repository/gdroot.crl0K..U. .D0B0@..U. .0806..+........*http
0880: ://certificates.godaddy.com/repository0...U...........0...*.H...
08c0: ..................g.f...:.P..r.Jt.S.7.DI...k3....V..0.<.2!{....$
0900: ...F.%#..g...o.]{z...X*...!.Z...F...c./..))..r,).7.'.O.h.!......
0940: ....S....Y..;...$I.....H..E.:6o.E.E.A...DN>.tv...U,.........u..
0980: ..L..n..=..q...Q@"(I..K..4.....Z..6d.5oown...P.^..S..#c.......c:
09c0: ..h...5.S....0...0..d.........0...*.H........0..1$0"..U....ValiC
0a00: ert Validation Network1.0...U....ValiCert, Inc.1503..U...,ValiCe
0a40: rt Class 2 Policy Validation Authority1!0...U....http://www.vali
0a80: cert.com/1 0...*.H........info_at_valicert.com0...040629170620Z..24
0ac0: 0629170620Z0c1.0...U....US1!0...U....The Go Daddy Group, Inc.110
0b00: /..U...(Go Daddy Class 2 Certification Authority0.. 0...*.H.....
0b40: ........0............W.I.[.._H.......g..eh.Wq.^w...I.p.=V.c.o...
0b80: .?.T"T......u=K.w.>x.... k/j+...~......E'o.7X..&..-.....r6N..?
0bc0: e...*n]............:.....-..._.=.....\.e8.E...``t.A.rb.b..o_.B.
0c00: .Qe..#.j.x..M....Z..@........^s..w...y....g.....X.D{.>b(_.A.SX.
0c40: .~8t....i...t...........0...0...U............L.q.a.=....j..0....
0c80: U.#...0........0..1$0"..U....ValiCert Validation Network1.0...U.
0cc0: ...ValiCert, Inc.1503..U...,ValiCert Class 2 Policy Validation A
0d00: uthority1!0...U....http://www.valicert.com/1 0...*.H........info
0d40: @valicert.com...0...U.......0....03..+........'0%0#..+.....0...h
0d80: ttp://ocsp.godaddy.com0D..U...=0;09.7.5.3http://certificates.god
0dc0: addy.com/repository/root.crl0K..U. .D0B0@..U. .0806..+........*h
0e00: ttp://certificates.godaddy.com/repository0...U...........0...*.H
0e40: .............@........BZD....F.........X....W.q,H...y...5..N.X..
0e80: ...........xD.....vze..m.......G>q.wK..w..Vk.K.....#.Q..L.5.F~9.
0ec0: u...)..9.OUg
== Info: SSLv3, TLS alert, Server hello (2):
=> Send SSL data, 2 bytes (0x2)
0000: .0
== Info: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
== Info: Closing connection #0
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
------------------------------------------------------
so exactly what do I need to do to test this? This is definitely something
I'll have to post at the OpenSSL forums, but I was hoping (with my
ignorance of SSL) someone might be able to give me some pointers without me
having to post to the OpenSSL people asking something completely ignorant.
:)
Thanks for your time.
--Jeff Curley
Sony Computer Entertainment America
Senior Programmer
(858) 824-5692
Jeff
Curley/SDPD/SCEA@
Playstation To
Sent by: libcurl development
curl-library-boun <curl-library_at_cool.haxx.se>
ces_at_cool.haxx.se cc
Nate Wiger/SDPD/SCEA_at_Playstation
Subject
11/24/2008 04:09 Re: Unknown SSL protocol error in
PM connection
Please respond to
libcurl
development
<curl-library_at_coo
l.haxx.se>
Answering my own question I found that I hadn't properly handled the
OpenSSL sockets to catch EAGAIN and other errors specific to CellOS. So
basically if there isn't data to read on teh next call it would fail.
Might have been causing both issues, definitely was causing the issue with
the break point.
--Jeff Curley
Sony Computer Entertainment America
Senior Programmer
(858) 824-5692
Jeff
Curley/SDPD/SCEA@
Playstation To
Sent by: curl-library_at_cool.haxx.se
curl-library-boun cc
ces_at_cool.haxx.se Nate Wiger/SDPD/SCEA_at_Playstation
Subject
Unknown SSL protocol error in
11/24/2008 03:49 connection
PM
Please respond to
libcurl
development
<curl-library_at_coo
l.haxx.se>
I'm new to OpenSLL so I apologize if I ask something trivial of the list.
I have libcurl and OpenSSL built on the CellOS but I'm having problem when
I try to use SSL (normal HTTP works).
command line: --trace-ascii -k --cacert /app_home/mycert.pem --url
https://www.fortify.net/sslcheck.html
tty:
== Info: Trying 64.202.169.234... == Info: connected
== Info: Connected to www.fortify.net (64.202.169.234) port 443 (#0)
== Info: libcurl is now using a weak random seed!
== Info: successfully set certificate verify locations:
== Info: CAfile: /app_home/cakey.pem
CApath: none
== Info: SSLv3, TLS handshake, Client hello (1):
=> Send SSL data, 95 bytes (0x5f)
0000: ...[..D.s.......6..5W.7.b.....K..~)..\..4.9.8.5.............3.2.
0040: /.E.D.A........................
== Info: Unknown SSL protocol error in connection to www.fortify.net:443
== Info: Closing connection #0
curl: (35) Unknown SSL protocol error in connection to www.fortify.net:443
additionally, I notice if I set a break point the function int
ssl23_connect(SSL *s)
I get different TTY as if there is a race condition in the process
tty:
== Info: Trying 64.202.169.234... == Info: connected
== Info: Connected to www.fortify.net (64.202.169.234) port 443 (#0)
== Info: libcurl is now using a weak random seed!
== Info: successfully set certificate verify locations:
== Info: CAfile: /app_home/mycert.pem
CApath: none
== Info: SSLv3, TLS handshake, Client hello (1):
=> Send SSL data, 95 bytes (0x5f)
0000: ...[..D.tF...w....!.2......^...tJ..A....4.9.8.5.............3.2.
0040: /.E.D.A........................
== Info: SSLv3, TLS handshake, Server hello (2):
<= Recv SSL data, 74 bytes (0x4a)
0000: ...F..I+<x.N=!.......G+P.%{..U&u8.3... .Z*.Cr..sh.....R...c.....
0040: m.O~....9.
== Info: SSLv3, TLS handshake, CERT (11):
<= Recv SSL data, 3788 bytes (0xecc)
0000: ..........0...0............,:0...*.H........0..1.0...U....US1.0.
0040: ..U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.1
0080: 301..U...*http://certificates.godaddy.com/repository100...U...'G
00c0: o Daddy Secure Certification Authority1.0...U....079692870...081
0100: 123033003Z..100104061709Z0W1.0...U....www.fortify.net1.0...U....
0140: www.fortify.net1!0...U....Domain Control Validated0..0...*.H....
0180: ........0............%:...q..H..k.......^'. .w..ur04............
01c0: 1.AJf..........g.....g.....o."........>X.S...4B.4.........4...0.
0200: .Y.vE.G..s"c"...........0...0...U.......0....0...U.%..0...+.....
0240: ....+.......0...U...........02..U...+0)0'.%.#.!http://crl.godadd
0280: y.com/gds1-0.crl0S..U. .L0J0H..`.H...m....0907..+........+http:/
02c0: /certificates.godaddy.com/repository/0....+........t0r0$..+.....
0300: 0...http://ocsp.godaddy.com/0J..+.....0..>http://certificates.go
0340: daddy.com/repository/gd_intermediate.crt0...U.#..0.....a2.lE....
0380: _...v.h..0'..U... 0...www.fortify.net..fortify.net0...U.......X.
03c0: >...3..9.....[..C0...*.H..............P(...U....%.%+..up......,.
0400: .b1O..NUKo..d8.{*.L...a...vhF..M.f..^.o9w....#.>|.d.,...8....`..
0440: .....P..Le......Yq.eD.E.R....;=.`..@.|..H.7-"\?. ;._.s...y..%...
0480: ...5.I.U.......!HIKb}...>"..]...M.....6.\~T,..u1b..<...|.!Y..c..
04c0: ..6......d.K.zde..@[...............vt...0...0............0...*.H
0500: ........0c1.0...U....US1!0...U....The Go Daddy Group, Inc.110/..
0540: U...(Go Daddy Class 2 Certification Authority0...061116015437Z..
0580: 261116015437Z0..1.0...U....US1.0...U....Arizona1.0...U....Scotts
05c0: dale1.0...U....GoDaddy.com, Inc.1301..U...*http://certificates.g
0600: odaddy.com/repository100...U...'Go Daddy Secure Certification Au
0640: thority1.0...U....079692870.."0...*.H.............0.........-...
0680: .&L.25._.Y.Z.a.Y;pc...=.*..3.y.:.<0#...0.....=.T......%.!.e)~5..
06c0: T...29.&U.....X.......*..B...?.......R.if....].,f..k...QJ./H..u.
0700: .)...fm.....x|........z....%.....enj..DSp0...+X+=.tJ..Q....L'Xk.
0740: 5....1......6.....:.%..I...g.E....9.6..~.7...q..t0.....?..O.....
0780: ...20...0...U........a2.lE...._...v.h..0...U.#..0.........L.q.a.
07c0: =....j..0...U.......0.......03..+........'0%0#..+.....0...http:/
0800: /ocsp.godaddy.com0F..U...?0=0;.9.7.5http://certificates.godaddy.
0840: com/repository/gdroot.crl0K..U. .D0B0@..U. .0806..+........*http
0880: ://certificates.godaddy.com/repository0...U...........0...*.H...
08c0: ..................g.f...:.P..r.Jt.S.7.DI...k3....V..0.<.2!{....$
0900: ...F.%#..g...o.]{z...X*...!.Z...F...c./..))..r,).7.'.O.h.!......
0940: ....S....Y..;...$I.....H..E.:6o.E.E.A...DN>.tv...U,.........u..
0980: ..L..n..=..q...Q@"(I..K..4.....Z..6d.5oown...P.^..S..#c.......c:
09c0: ..h...5.S....0...0..d.........0...*.H........0..1$0"..U....ValiC
0a00: ert Validation Network1.0...U....ValiCert, Inc.1503..U...,ValiCe
0a40: rt Class 2 Policy Validation Authority1!0...U....http://www.vali
0a80: cert.com/1 0...*.H........info_at_valicert.com0...040629170620Z..24
0ac0: 0629170620Z0c1.0...U....US1!0...U....The Go Daddy Group, Inc.110
0b00: /..U...(Go Daddy Class 2 Certification Authority0.. 0...*.H.....
0b40: ........0............W.I.[.._H.......g..eh.Wq.^w...I.p.=V.c.o...
0b80: .?.T"T......u=K.w.>x.... k/j+...~......E'o.7X..&..-.....r6N..?
0bc0: e...*n]............:.....-..._.=.....\.e8.E...``t.A.rb.b..o_.B.
0c00: .Qe..#.j.x..M....Z..@........^s..w...y....g.....X.D{.>b(_.A.SX.
0c40: .~8t....i...t...........0...0...U............L.q.a.=....j..0....
0c80: U.#...0........0..1$0"..U....ValiCert Validation Network1.0...U.
0cc0: ...ValiCert, Inc.1503..U...,ValiCert Class 2 Policy Validation A
0d00: uthority1!0...U....http://www.valicert.com/1 0...*.H........info
0d40: @valicert.com...0...U.......0....03..+........'0%0#..+.....0...h
0d80: ttp://ocsp.godaddy.com0D..U...=0;09.7.5.3http://certificates.god
0dc0: addy.com/repository/root.crl0K..U. .D0B0@..U. .0806..+........*h
0e00: ttp://certificates.godaddy.com/repository0...U...........0...*.H
0e40: .............@........BZD....F.........X....W.q,H...y...5..N.X..
0e80: ...........xD.....vze..m.......G>q.wK..w..Vk.K.....#.Q..L.5.F~9.
0ec0: u...)..9.OUg
== Info: SSLv3, TLS alert, Server hello (2):
=> Send SSL data, 2 bytes (0x2)
0000: .0
== Info: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
== Info: Closing connection #0
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
The certificate I am using I generated with openssl by following these
directions:
http://www.madboa.com/geek/openssl/#cert-self
so although it is self signed, I am under the impression the client should
be OK with this and should be able to continue.
So it looks like I am dealing with 2 issues.
1) the obvious failure of SSL connections
2) a strange race condition that I assume (because I'm not threading
anything) is happening due to non blocking IO on the sockets?
Any help is greatly appreciated.
--Jeff Curley
Sony Computer Entertainment America
Senior Programmer
(858) 824-5692
Received on 2008-11-25