cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Unknown SSL protocol error in connection

From: <Jeff_Curley_at_playstation.sony.com>
Date: Mon, 24 Nov 2008 17:15:27 -0800

OK I sorted out the issue with SSL and now I get a proper failure.

command line:
--trace-ascii -k --cacert /app_home/mycert.pem --url
https://www.fortify.net/sslcheck.html

TTY:
------------------------------------------------------
= Info: Trying 64.202.169.234... == Info: connected
== Info: Connected to www.fortify.net (64.202.169.234) port 443 (#0)
== Info: libcurl is now using a weak random seed!
== Info: successfully set certificate verify locations:
== Info: CAfile: /app_home/mycert.pem
  CApath: none
== Info: SSLv3, TLS handshake, Client hello (1):
=> Send SSL data, 83 bytes (0x53)
0000: ...O..D...59.(..F.....I.dPE..H.b.'d.....(.9.8.5.......3.2./.....
0040: ...................
== Info: SSLv3, TLS handshake, Server hello (2):
<= Recv SSL data, 74 bytes (0x4a)
0000: ...F..I+P...F.}.V.3{H...n..J...."J..}. bBnP...A8R_.H...>...F.[..
0040: Q.1.....9.
== Info: SSLv3, TLS handshake, CERT (11):
<= Recv SSL data, 3788 bytes (0xecc)
0000: ..........0...0............,:0...*.H........0..1.0...U....US1.0.
0040: ..U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.1
0080: 301..U...*http://certificates.godaddy.com/repository100...U...'G
00c0: o Daddy Secure Certification Authority1.0...U....079692870...081
0100: 123033003Z..100104061709Z0W1.0...U....www.fortify.net1.0...U....
0140: www.fortify.net1!0...U....Domain Control Validated0..0...*.H....
0180: ........0............%:...q..H..k.......^'. .w..ur04............
01c0: 1.AJf..........g.....g.....o."........>X.S...4B.4.........4...0.
0200: .Y.vE.G..s"c"...........0...0...U.......0....0...U.%..0...+.....
0240: ....+.......0...U...........02..U...+0)0'.%.#.!http://crl.godadd
0280: y.com/gds1-0.crl0S..U. .L0J0H..`.H...m....0907..+........+http:/
02c0: /certificates.godaddy.com/repository/0....+........t0r0$..+.....
0300: 0...http://ocsp.godaddy.com/0J..+.....0..>http://certificates.go
0340: daddy.com/repository/gd_intermediate.crt0...U.#..0.....a2.lE....
0380: _...v.h..0'..U... 0...www.fortify.net..fortify.net0...U.......X.
03c0: >...3..9.....[..C0...*.H..............P(...U....%.%+..up......,.
0400: .b1O..NUKo..d8.{*.L...a...vhF..M.f..^.o9w....#.>|.d.,...8....`..
0440: .....P..Le......Yq.eD.E.R....;=.`..@.|..H.7-"\?. ;._.s...y..%...
0480: ...5.I.U.......!HIKb}...>"..]...M.....6.\~T,..u1b..<...|.!Y..c..
04c0: ..6......d.K.zde..@[...............vt...0...0............0...*.H
0500: ........0c1.0...U....US1!0...U....The Go Daddy Group, Inc.110/..
0540: U...(Go Daddy Class 2 Certification Authority0...061116015437Z..
0580: 261116015437Z0..1.0...U....US1.0...U....Arizona1.0...U....Scotts
05c0: dale1.0...U....GoDaddy.com, Inc.1301..U...*http://certificates.g
0600: odaddy.com/repository100...U...'Go Daddy Secure Certification Au
0640: thority1.0...U....079692870.."0...*.H.............0.........-...
0680: .&L.25._.Y.Z.a.Y;pc...=.*..3.y.:.<0#...0.....=.T......%.!.e)~5..
06c0: T...29.&U.....X.......*..B...?.......R.if....].,f..k...QJ./H..u.
0700: .)...fm.....x|........z....%.....enj..DSp0...+X+=.tJ..Q....L'Xk.
0740: 5....1......6.....:.%..I...g.E....9.6..~.7...q..t0.....?..O.....
0780: ...20...0...U........a2.lE...._...v.h..0...U.#..0.........L.q.a.
07c0: =....j..0...U.......0.......03..+........'0%0#..+.....0...http:/
0800: /ocsp.godaddy.com0F..U...?0=0;.9.7.5http://certificates.godaddy.
0840: com/repository/gdroot.crl0K..U. .D0B0@..U. .0806..+........*http
0880: ://certificates.godaddy.com/repository0...U...........0...*.H...
08c0: ..................g.f...:.P..r.Jt.S.7.DI...k3....V..0.<.2!{....$
0900: ...F.%#..g...o.]{z...X*...!.Z...F...c./..))..r,).7.'.O.h.!......
0940: ....S....Y..;...$I.....H..E.:6o.E.E.A...DN>.tv...U,.........u..
0980: ..L..n..=..q...Q@"(I..K..4.....Z..6d.5oown...P.^..S..#c.......c:
09c0: ..h...5.S....0...0..d.........0...*.H........0..1$0"..U....ValiC
0a00: ert Validation Network1.0...U....ValiCert, Inc.1503..U...,ValiCe
0a40: rt Class 2 Policy Validation Authority1!0...U....http://www.vali
0a80: cert.com/1 0...*.H........info_at_valicert.com0...040629170620Z..24
0ac0: 0629170620Z0c1.0...U....US1!0...U....The Go Daddy Group, Inc.110
0b00: /..U...(Go Daddy Class 2 Certification Authority0.. 0...*.H.....
0b40: ........0............W.I.[.._H.......g..eh.Wq.^w...I.p.=V.c.o...
0b80: .?.T"T......u=K.w.>x.... k/j+...~......E'o.7X..&..-.....r6N..?
0bc0: e...*n]............:.....-..._.=.....\.e8.E...``t.A.rb.b..o_.B.
0c00: .Qe..#.j.x..M....Z..@........^s..w...y....g.....X.D{.>b(_.A.SX.
0c40: .~8t....i...t...........0...0...U............L.q.a.=....j..0....
0c80: U.#...0........0..1$0"..U....ValiCert Validation Network1.0...U.
0cc0: ...ValiCert, Inc.1503..U...,ValiCert Class 2 Policy Validation A
0d00: uthority1!0...U....http://www.valicert.com/1 0...*.H........info
0d40: @valicert.com...0...U.......0....03..+........'0%0#..+.....0...h
0d80: ttp://ocsp.godaddy.com0D..U...=0;09.7.5.3http://certificates.god
0dc0: addy.com/repository/root.crl0K..U. .D0B0@..U. .0806..+........*h
0e00: ttp://certificates.godaddy.com/repository0...U...........0...*.H
0e40: .............@........BZD....F.........X....W.q,H...y...5..N.X..
0e80: ...........xD.....vze..m.......G>q.wK..w..Vk.K.....#.Q..L.5.F~9.
0ec0: u...)..9.OUg
== Info: SSLv3, TLS alert, Server hello (2):
=> Send SSL data, 2 bytes (0x2)
0000: .0
== Info: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
== Info: Closing connection #0
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
------------------------------------------------------

so exactly what do I need to do to test this? This is definitely something
I'll have to post at the OpenSSL forums, but I was hoping (with my
ignorance of SSL) someone might be able to give me some pointers without me
having to post to the OpenSSL people asking something completely ignorant.
:)

Thanks for your time.

--Jeff Curley
Sony Computer Entertainment America
Senior Programmer
(858) 824-5692

                                                                           
             Jeff
             Curley/SDPD/SCEA@
             Playstation To
             Sent by: libcurl development
             curl-library-boun <curl-library_at_cool.haxx.se>
             ces_at_cool.haxx.se cc
                                       Nate Wiger/SDPD/SCEA_at_Playstation
                                                                   Subject
             11/24/2008 04:09 Re: Unknown SSL protocol error in
             PM connection
                                                                           
                                                                           
             Please respond to
                  libcurl
                development
             <curl-library_at_coo
                l.haxx.se>
                                                                           
                                                                           

Answering my own question I found that I hadn't properly handled the
OpenSSL sockets to catch EAGAIN and other errors specific to CellOS. So
basically if there isn't data to read on teh next call it would fail.

Might have been causing both issues, definitely was causing the issue with
the break point.

--Jeff Curley
Sony Computer Entertainment America
Senior Programmer
(858) 824-5692

             Jeff
             Curley/SDPD/SCEA@
             Playstation To
             Sent by: curl-library_at_cool.haxx.se
             curl-library-boun cc
             ces_at_cool.haxx.se Nate Wiger/SDPD/SCEA_at_Playstation
                                                                   Subject
                                       Unknown SSL protocol error in
             11/24/2008 03:49 connection
             PM

             Please respond to
                  libcurl
                development
             <curl-library_at_coo
                l.haxx.se>

I'm new to OpenSLL so I apologize if I ask something trivial of the list.

I have libcurl and OpenSSL built on the CellOS but I'm having problem when
I try to use SSL (normal HTTP works).

command line: --trace-ascii -k --cacert /app_home/mycert.pem --url
https://www.fortify.net/sslcheck.html

tty:
== Info: Trying 64.202.169.234... == Info: connected
== Info: Connected to www.fortify.net (64.202.169.234) port 443 (#0)
== Info: libcurl is now using a weak random seed!
== Info: successfully set certificate verify locations:
== Info: CAfile: /app_home/cakey.pem
  CApath: none
== Info: SSLv3, TLS handshake, Client hello (1):
=> Send SSL data, 95 bytes (0x5f)
0000: ...[..D.s.......6..5W.7.b.....K..~)..\..4.9.8.5.............3.2.
0040: /.E.D.A........................
== Info: Unknown SSL protocol error in connection to www.fortify.net:443
== Info: Closing connection #0
curl: (35) Unknown SSL protocol error in connection to www.fortify.net:443

additionally, I notice if I set a break point the function int
ssl23_connect(SSL *s)

I get different TTY as if there is a race condition in the process
tty:
== Info: Trying 64.202.169.234... == Info: connected
== Info: Connected to www.fortify.net (64.202.169.234) port 443 (#0)
== Info: libcurl is now using a weak random seed!
== Info: successfully set certificate verify locations:
== Info: CAfile: /app_home/mycert.pem
  CApath: none
== Info: SSLv3, TLS handshake, Client hello (1):
=> Send SSL data, 95 bytes (0x5f)
0000: ...[..D.tF...w....!.2......^...tJ..A....4.9.8.5.............3.2.
0040: /.E.D.A........................
== Info: SSLv3, TLS handshake, Server hello (2):
<= Recv SSL data, 74 bytes (0x4a)
0000: ...F..I+<x.N=!.......G+P.%{..U&u8.3... .Z*.Cr..sh.....R...c.....
0040: m.O~....9.
== Info: SSLv3, TLS handshake, CERT (11):
<= Recv SSL data, 3788 bytes (0xecc)
0000: ..........0...0............,:0...*.H........0..1.0...U....US1.0.
0040: ..U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.1
0080: 301..U...*http://certificates.godaddy.com/repository100...U...'G
00c0: o Daddy Secure Certification Authority1.0...U....079692870...081
0100: 123033003Z..100104061709Z0W1.0...U....www.fortify.net1.0...U....
0140: www.fortify.net1!0...U....Domain Control Validated0..0...*.H....
0180: ........0............%:...q..H..k.......^'. .w..ur04............
01c0: 1.AJf..........g.....g.....o."........>X.S...4B.4.........4...0.
0200: .Y.vE.G..s"c"...........0...0...U.......0....0...U.%..0...+.....
0240: ....+.......0...U...........02..U...+0)0'.%.#.!http://crl.godadd
0280: y.com/gds1-0.crl0S..U. .L0J0H..`.H...m....0907..+........+http:/
02c0: /certificates.godaddy.com/repository/0....+........t0r0$..+.....
0300: 0...http://ocsp.godaddy.com/0J..+.....0..>http://certificates.go
0340: daddy.com/repository/gd_intermediate.crt0...U.#..0.....a2.lE....
0380: _...v.h..0'..U... 0...www.fortify.net..fortify.net0...U.......X.
03c0: >...3..9.....[..C0...*.H..............P(...U....%.%+..up......,.
0400: .b1O..NUKo..d8.{*.L...a...vhF..M.f..^.o9w....#.>|.d.,...8....`..
0440: .....P..Le......Yq.eD.E.R....;=.`..@.|..H.7-"\?. ;._.s...y..%...
0480: ...5.I.U.......!HIKb}...>"..]...M.....6.\~T,..u1b..<...|.!Y..c..
04c0: ..6......d.K.zde..@[...............vt...0...0............0...*.H
0500: ........0c1.0...U....US1!0...U....The Go Daddy Group, Inc.110/..
0540: U...(Go Daddy Class 2 Certification Authority0...061116015437Z..
0580: 261116015437Z0..1.0...U....US1.0...U....Arizona1.0...U....Scotts
05c0: dale1.0...U....GoDaddy.com, Inc.1301..U...*http://certificates.g
0600: odaddy.com/repository100...U...'Go Daddy Secure Certification Au
0640: thority1.0...U....079692870.."0...*.H.............0.........-...
0680: .&L.25._.Y.Z.a.Y;pc...=.*..3.y.:.<0#...0.....=.T......%.!.e)~5..
06c0: T...29.&U.....X.......*..B...?.......R.if....].,f..k...QJ./H..u.
0700: .)...fm.....x|........z....%.....enj..DSp0...+X+=.tJ..Q....L'Xk.
0740: 5....1......6.....:.%..I...g.E....9.6..~.7...q..t0.....?..O.....
0780: ...20...0...U........a2.lE...._...v.h..0...U.#..0.........L.q.a.
07c0: =....j..0...U.......0.......03..+........'0%0#..+.....0...http:/
0800: /ocsp.godaddy.com0F..U...?0=0;.9.7.5http://certificates.godaddy.
0840: com/repository/gdroot.crl0K..U. .D0B0@..U. .0806..+........*http
0880: ://certificates.godaddy.com/repository0...U...........0...*.H...
08c0: ..................g.f...:.P..r.Jt.S.7.DI...k3....V..0.<.2!{....$
0900: ...F.%#..g...o.]{z...X*...!.Z...F...c./..))..r,).7.'.O.h.!......
0940: ....S....Y..;...$I.....H..E.:6o.E.E.A...DN>.tv...U,.........u..
0980: ..L..n..=..q...Q@"(I..K..4.....Z..6d.5oown...P.^..S..#c.......c:
09c0: ..h...5.S....0...0..d.........0...*.H........0..1$0"..U....ValiC
0a00: ert Validation Network1.0...U....ValiCert, Inc.1503..U...,ValiCe
0a40: rt Class 2 Policy Validation Authority1!0...U....http://www.vali
0a80: cert.com/1 0...*.H........info_at_valicert.com0...040629170620Z..24
0ac0: 0629170620Z0c1.0...U....US1!0...U....The Go Daddy Group, Inc.110
0b00: /..U...(Go Daddy Class 2 Certification Authority0.. 0...*.H.....
0b40: ........0............W.I.[.._H.......g..eh.Wq.^w...I.p.=V.c.o...
0b80: .?.T"T......u=K.w.>x.... k/j+...~......E'o.7X..&..-.....r6N..?
0bc0: e...*n]............:.....-..._.=.....\.e8.E...``t.A.rb.b..o_.B.
0c00: .Qe..#.j.x..M....Z..@........^s..w...y....g.....X.D{.>b(_.A.SX.
0c40: .~8t....i...t...........0...0...U............L.q.a.=....j..0....
0c80: U.#...0........0..1$0"..U....ValiCert Validation Network1.0...U.
0cc0: ...ValiCert, Inc.1503..U...,ValiCert Class 2 Policy Validation A
0d00: uthority1!0...U....http://www.valicert.com/1 0...*.H........info
0d40: @valicert.com...0...U.......0....03..+........'0%0#..+.....0...h
0d80: ttp://ocsp.godaddy.com0D..U...=0;09.7.5.3http://certificates.god
0dc0: addy.com/repository/root.crl0K..U. .D0B0@..U. .0806..+........*h
0e00: ttp://certificates.godaddy.com/repository0...U...........0...*.H
0e40: .............@........BZD....F.........X....W.q,H...y...5..N.X..
0e80: ...........xD.....vze..m.......G>q.wK..w..Vk.K.....#.Q..L.5.F~9.
0ec0: u...)..9.OUg
== Info: SSLv3, TLS alert, Server hello (2):
=> Send SSL data, 2 bytes (0x2)
0000: .0
== Info: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
== Info: Closing connection #0
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

The certificate I am using I generated with openssl by following these
directions:
http://www.madboa.com/geek/openssl/#cert-self

so although it is self signed, I am under the impression the client should
be OK with this and should be able to continue.

So it looks like I am dealing with 2 issues.
1) the obvious failure of SSL connections
2) a strange race condition that I assume (because I'm not threading
anything) is happening due to non blocking IO on the sockets?

Any help is greatly appreciated.

--Jeff Curley
Sony Computer Entertainment America
Senior Programmer
(858) 824-5692
Received on 2008-11-25