cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Unknown SSL protocol error in connection

From: <Jeff_Curley_at_playstation.sony.com>
Date: Mon, 24 Nov 2008 17:38:20 -0800

OK well I figured out that I can't use simply --insecure or simply -k but I
have to use them both.

cmd line:
--trace-ascii --insecure --cacert /app_home/mycert.pem --url
https://www.bankofamerica.com

gives me:
== Info: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
== Info: Closing connection #0
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
More details here: http://curl.haxx.se/docs/sslcerts.html

cmd line:
--trace-ascii -k --cacert /app_home/mycert.pem --url
https://www.bankofamerica.com

give me:
== Info: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
== Info: Closing connection #0
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
More details here: http://curl.haxx.se/docs/sslcerts.html

but using cmd line:
--trace-ascii -k --insecure --cacert /app_home/mycert.pem --url
https://www.bankofamerica.com

works! Weird ... bug?

--Jeff Curley
Sony Computer Entertainment America
Senior Programmer
(858) 824-5692

             Jeff
             Curley/SDPD/SCEA@
             Playstation To
             Sent by: libcurl development
             curl-library-boun <curl-library_at_cool.haxx.se>
             ces_at_cool.haxx.se cc
                                       Nate Wiger/SDPD/SCEA_at_Playstation,
                                       libcurl development
             11/24/2008 05:15 <curl-library_at_cool.haxx.se>,
             PM curl-library-bounces_at_cool.haxx.se
                                                                   Subject
                                       Re: Unknown SSL protocol error in
             Please respond to connection
                  libcurl
                development
             <curl-library_at_coo
                l.haxx.se>

OK I sorted out the issue with SSL and now I get a proper failure.

command line:
--trace-ascii -k --cacert /app_home/mycert.pem --url
https://www.fortify.net/sslcheck.html

TTY:
------------------------------------------------------
= Info: Trying 64.202.169.234... == Info: connected
== Info: Connected to www.fortify.net (64.202.169.234) port 443 (#0)
== Info: libcurl is now using a weak random seed!
== Info: successfully set certificate verify locations:
== Info: CAfile: /app_home/mycert.pem
CApath: none
== Info: SSLv3, TLS handshake, Client hello (1):
=> Send SSL data, 83 bytes (0x53)
0000: ...O..D...59.(..F.....I.dPE..H.b.'d.....(.9.8.5.......3.2./.....
0040: ...................
== Info: SSLv3, TLS handshake, Server hello (2):
<= Recv SSL data, 74 bytes (0x4a)
0000: ...F..I+P...F.}.V.3{H...n..J...."J..}. bBnP...A8R_.H...>...F.[..
0040: Q.1.....9.
== Info: SSLv3, TLS handshake, CERT (11):
<= Recv SSL data, 3788 bytes (0xecc)
0000: ..........0...0............,:0...*.H........0..1.0...U....US1.0.
0040: ..U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.1
0080: 301..U...*http://certificates.godaddy.com/repository100...U...'G
00c0: o Daddy Secure Certification Authority1.0...U....079692870...081
0100: 123033003Z..100104061709Z0W1.0...U....www.fortify.net1.0...U....
0140: www.fortify.net1!0...U....Domain Control Validated0..0...*.H....
0180: ........0............%:...q..H..k.......^'. .w..ur04............
01c0: 1.AJf..........g.....g.....o."........>X.S...4B.4.........4...0.
0200: .Y.vE.G..s"c"...........0...0...U.......0....0...U.%..0...+.....
0240: ....+.......0...U...........02..U...+0)0'.%.#.!http://crl.godadd
0280: y.com/gds1-0.crl0S..U. .L0J0H..`.H...m....0907..+........+http:/
02c0: /certificates.godaddy.com/repository/0....+........t0r0$..+.....
0300: 0...http://ocsp.godaddy.com/0J..+.....0..>http://certificates.go
0340: daddy.com/repository/gd_intermediate.crt0...U.#..0.....a2.lE....
0380: _...v.h..0'..U... 0...www.fortify.net..fortify.net0...U.......X.
03c0: >...3..9.....[..C0...*.H..............P(...U....%.%+..up......,.
0400: .b1O..NUKo..d8.{*.L...a...vhF..M.f..^.o9w....#.>|.d.,...8....`..
0440: .....P..Le......Yq.eD.E.R....;=.`..@.|..H.7-"\?. ;._.s...y..%...
0480: ...5.I.U.......!HIKb}...>"..]...M.....6.\~T,..u1b..<...|.!Y..c..
04c0: ..6......d.K.zde..@[...............vt...0...0............0...*.H
0500: ........0c1.0...U....US1!0...U....The Go Daddy Group, Inc.110/..
0540: U...(Go Daddy Class 2 Certification Authority0...061116015437Z..
0580: 261116015437Z0..1.0...U....US1.0...U....Arizona1.0...U....Scotts
05c0: dale1.0...U....GoDaddy.com, Inc.1301..U...*http://certificates.g
0600: odaddy.com/repository100...U...'Go Daddy Secure Certification Au
0640: thority1.0...U....079692870.."0...*.H.............0.........-...
0680: .&L.25._.Y.Z.a.Y;pc...=.*..3.y.:.<0#...0.....=.T......%.!.e)~5..
06c0: T...29.&U.....X.......*..B...?.......R.if....].,f..k...QJ./H..u.
0700: .)...fm.....x|........z....%.....enj..DSp0...+X+=.tJ..Q....L'Xk.
0740: 5....1......6.....:.%..I...g.E....9.6..~.7...q..t0.....?..O.....
0780: ...20...0...U........a2.lE...._...v.h..0...U.#..0.........L.q.a.
07c0: =....j..0...U.......0.......03..+........'0%0#..+.....0...http:/
0800: /ocsp.godaddy.com0F..U...?0=0;.9.7.5http://certificates.godaddy.
0840: com/repository/gdroot.crl0K..U. .D0B0@..U. .0806..+........*http
0880: ://certificates.godaddy.com/repository0...U...........0...*.H...
08c0: ..................g.f...:.P..r.Jt.S.7.DI...k3....V..0.<.2!{....$
0900: ...F.%#..g...o.]{z...X*...!.Z...F...c./..))..r,).7.'.O.h.!......
0940: ....S....Y..;...$I.....H..E.:6o.E.E.A...DN>.tv...U,.........u..
0980: ..L..n..=..q...Q@"(I..K..4.....Z..6d.5oown...P.^..S..#c.......c:
09c0: ..h...5.S....0...0..d.........0...*.H........0..1$0"..U....ValiC
0a00: ert Validation Network1.0...U....ValiCert, Inc.1503..U...,ValiCe
0a40: rt Class 2 Policy Validation Authority1!0...U....http://www.vali
0a80: cert.com/1 0...*.H........info_at_valicert.com0...040629170620Z..24
0ac0: 0629170620Z0c1.0...U....US1!0...U....The Go Daddy Group, Inc.110
0b00: /..U...(Go Daddy Class 2 Certification Authority0.. 0...*.H.....
0b40: ........0............W.I.[.._H.......g..eh.Wq.^w...I.p.=V.c.o...
0b80: .?.T"T......u=K.w.>x.... k/j+...~......E'o.7X..&..-.....r6N..?
0bc0: e...*n]............:.....-..._.=.....\.e8.E...``t.A.rb.b..o_.B.
0c00: .Qe..#.j.x..M....Z..@........^s..w...y....g.....X.D{.>b(_.A.SX.
0c40: .~8t....i...t...........0...0...U............L.q.a.=....j..0....
0c80: U.#...0........0..1$0"..U....ValiCert Validation Network1.0...U.
0cc0: ...ValiCert, Inc.1503..U...,ValiCert Class 2 Policy Validation A
0d00: uthority1!0...U....http://www.valicert.com/1 0...*.H........info
0d40: @valicert.com...0...U.......0....03..+........'0%0#..+.....0...h
0d80: ttp://ocsp.godaddy.com0D..U...=0;09.7.5.3http://certificates.god
0dc0: addy.com/repository/root.crl0K..U. .D0B0@..U. .0806..+........*h
0e00: ttp://certificates.godaddy.com/repository0...U...........0...*.H
0e40: .............@........BZD....F.........X....W.q,H...y...5..N.X..
0e80: ...........xD.....vze..m.......G>q.wK..w..Vk.K.....#.Q..L.5.F~9.
0ec0: u...)..9.OUg
== Info: SSLv3, TLS alert, Server hello (2):
=> Send SSL data, 2 bytes (0x2)
0000: .0
== Info: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
== Info: Closing connection #0
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
------------------------------------------------------

so exactly what do I need to do to test this? This is definitely something
I'll have to post at the OpenSSL forums, but I was hoping (with my
ignorance of SSL) someone might be able to give me some pointers without me
having to post to the OpenSSL people asking something completely ignorant.
:)

Thanks for your time.

--Jeff Curley
Sony Computer Entertainment America
Senior Programmer
(858) 824-5692

             Please respond to
                  libcurl
                development
             <curl-library_at_coo
                l.haxx.se>

Answering my own question I found that I hadn't properly handled the
OpenSSL sockets to catch EAGAIN and other errors specific to CellOS. So
basically if there isn't data to read on teh next call it would fail.

Might have been causing both issues, definitely was causing the issue with
the break point.

--Jeff Curley
Sony Computer Entertainment America
Senior Programmer
(858) 824-5692

             Jeff
             Curley/SDPD/SCEA@
             Playstation To
             Sent by: curl-library_at_cool.haxx.se
             curl-library-boun cc
             ces_at_cool.haxx.se Nate Wiger/SDPD/SCEA_at_Playstation
                                                                   Subject
                                       Unknown SSL protocol error in
             11/24/2008 03:49 connection
             PM

             Please respond to
                  libcurl
                development
             <curl-library_at_coo
                l.haxx.se>

I'm new to OpenSLL so I apologize if I ask something trivial of the list.

I have libcurl and OpenSSL built on the CellOS but I'm having problem when
I try to use SSL (normal HTTP works).

command line: --trace-ascii -k --cacert /app_home/mycert.pem --url
https://www.fortify.net/sslcheck.html

tty:
== Info: Trying 64.202.169.234... == Info: connected
== Info: Connected to www.fortify.net (64.202.169.234) port 443 (#0)
== Info: libcurl is now using a weak random seed!
== Info: successfully set certificate verify locations:
== Info: CAfile: /app_home/cakey.pem
CApath: none
== Info: SSLv3, TLS handshake, Client hello (1):
=> Send SSL data, 95 bytes (0x5f)
0000: ...[..D.s.......6..5W.7.b.....K..~)..\..4.9.8.5.............3.2.
0040: /.E.D.A........................
== Info: Unknown SSL protocol error in connection to www.fortify.net:443
== Info: Closing connection #0
curl: (35) Unknown SSL protocol error in connection to www.fortify.net:443

additionally, I notice if I set a break point the function int
ssl23_connect(SSL *s)

I get different TTY as if there is a race condition in the process
tty:
== Info: Trying 64.202.169.234... == Info: connected
== Info: Connected to www.fortify.net (64.202.169.234) port 443 (#0)
== Info: libcurl is now using a weak random seed!
== Info: successfully set certificate verify locations:
== Info: CAfile: /app_home/mycert.pem
CApath: none
== Info: SSLv3, TLS handshake, Client hello (1):
=> Send SSL data, 95 bytes (0x5f)
0000: ...[..D.tF...w....!.2......^...tJ..A....4.9.8.5.............3.2.
0040: /.E.D.A........................
== Info: SSLv3, TLS handshake, Server hello (2):
<= Recv SSL data, 74 bytes (0x4a)
0000: ...F..I+<x.N=!.......G+P.%{..U&u8.3... .Z*.Cr..sh.....R...c.....
0040: m.O~....9.
== Info: SSLv3, TLS handshake, CERT (11):
<= Recv SSL data, 3788 bytes (0xecc)
0000: ..........0...0............,:0...*.H........0..1.0...U....US1.0.
0040: ..U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.1
0080: 301..U...*http://certificates.godaddy.com/repository100...U...'G
00c0: o Daddy Secure Certification Authority1.0...U....079692870...081
0100: 123033003Z..100104061709Z0W1.0...U....www.fortify.net1.0...U....
0140: www.fortify.net1!0...U....Domain Control Validated0..0...*.H....
0180: ........0............%:...q..H..k.......^'. .w..ur04............
01c0: 1.AJf..........g.....g.....o."........>X.S...4B.4.........4...0.
0200: .Y.vE.G..s"c"...........0...0...U.......0....0...U.%..0...+.....
0240: ....+.......0...U...........02..U...+0)0'.%.#.!http://crl.godadd
0280: y.com/gds1-0.crl0S..U. .L0J0H..`.H...m....0907..+........+http:/
02c0: /certificates.godaddy.com/repository/0....+........t0r0$..+.....
0300: 0...http://ocsp.godaddy.com/0J..+.....0..>http://certificates.go
0340: daddy.com/repository/gd_intermediate.crt0...U.#..0.....a2.lE....
0380: _...v.h..0'..U... 0...www.fortify.net..fortify.net0...U.......X.
03c0: >...3..9.....[..C0...*.H..............P(...U....%.%+..up......,.
0400: .b1O..NUKo..d8.{*.L...a...vhF..M.f..^.o9w....#.>|.d.,...8....`..
0440: .....P..Le......Yq.eD.E.R....;=.`..@.|..H.7-"\?. ;._.s...y..%...
0480: ...5.I.U.......!HIKb}...>"..]...M.....6.\~T,..u1b..<...|.!Y..c..
04c0: ..6......d.K.zde..@[...............vt...0...0............0...*.H
0500: ........0c1.0...U....US1!0...U....The Go Daddy Group, Inc.110/..
0540: U...(Go Daddy Class 2 Certification Authority0...061116015437Z..
0580: 261116015437Z0..1.0...U....US1.0...U....Arizona1.0...U....Scotts
05c0: dale1.0...U....GoDaddy.com, Inc.1301..U...*http://certificates.g
0600: odaddy.com/repository100...U...'Go Daddy Secure Certification Au
0640: thority1.0...U....079692870.."0...*.H.............0.........-...
0680: .&L.25._.Y.Z.a.Y;pc...=.*..3.y.:.<0#...0.....=.T......%.!.e)~5..
06c0: T...29.&U.....X.......*..B...?.......R.if....].,f..k...QJ./H..u.
0700: .)...fm.....x|........z....%.....enj..DSp0...+X+=.tJ..Q....L'Xk.
0740: 5....1......6.....:.%..I...g.E....9.6..~.7...q..t0.....?..O.....
0780: ...20...0...U........a2.lE...._...v.h..0...U.#..0.........L.q.a.
07c0: =....j..0...U.......0.......03..+........'0%0#..+.....0...http:/
0800: /ocsp.godaddy.com0F..U...?0=0;.9.7.5http://certificates.godaddy.
0840: com/repository/gdroot.crl0K..U. .D0B0@..U. .0806..+........*http
0880: ://certificates.godaddy.com/repository0...U...........0...*.H...
08c0: ..................g.f...:.P..r.Jt.S.7.DI...k3....V..0.<.2!{....$
0900: ...F.%#..g...o.]{z...X*...!.Z...F...c./..))..r,).7.'.O.h.!......
0940: ....S....Y..;...$I.....H..E.:6o.E.E.A...DN>.tv...U,.........u..
0980: ..L..n..=..q...Q@"(I..K..4.....Z..6d.5oown...P.^..S..#c.......c:
09c0: ..h...5.S....0...0..d.........0...*.H........0..1$0"..U....ValiC
0a00: ert Validation Network1.0...U....ValiCert, Inc.1503..U...,ValiCe
0a40: rt Class 2 Policy Validation Authority1!0...U....http://www.vali
0a80: cert.com/1 0...*.H........info_at_valicert.com0...040629170620Z..24
0ac0: 0629170620Z0c1.0...U....US1!0...U....The Go Daddy Group, Inc.110
0b00: /..U...(Go Daddy Class 2 Certification Authority0.. 0...*.H.....
0b40: ........0............W.I.[.._H.......g..eh.Wq.^w...I.p.=V.c.o...
0b80: .?.T"T......u=K.w.>x.... k/j+...~......E'o.7X..&..-.....r6N..?
0bc0: e...*n]............:.....-..._.=.....\.e8.E...``t.A.rb.b..o_.B.
0c00: .Qe..#.j.x..M....Z..@........^s..w...y....g.....X.D{.>b(_.A.SX.
0c40: .~8t....i...t...........0...0...U............L.q.a.=....j..0....
0c80: U.#...0........0..1$0"..U....ValiCert Validation Network1.0...U.
0cc0: ...ValiCert, Inc.1503..U...,ValiCert Class 2 Policy Validation A
0d00: uthority1!0...U....http://www.valicert.com/1 0...*.H........info
0d40: @valicert.com...0...U.......0....03..+........'0%0#..+.....0...h
0d80: ttp://ocsp.godaddy.com0D..U...=0;09.7.5.3http://certificates.god
0dc0: addy.com/repository/root.crl0K..U. .D0B0@..U. .0806..+........*h
0e00: ttp://certificates.godaddy.com/repository0...U...........0...*.H
0e40: .............@........BZD....F.........X....W.q,H...y...5..N.X..
0e80: ...........xD.....vze..m.......G>q.wK..w..Vk.K.....#.Q..L.5.F~9.
0ec0: u...)..9.OUg
== Info: SSLv3, TLS alert, Server hello (2):
=> Send SSL data, 2 bytes (0x2)
0000: .0
== Info: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
== Info: Closing connection #0
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
More details here: http://curl.haxx.se/docs/sslcerts.html

The certificate I am using I generated with openssl by following these
directions:
http://www.madboa.com/geek/openssl/#cert-self

so although it is self signed, I am under the impression the client should
be OK with this and should be able to continue.

So it looks like I am dealing with 2 issues.
1) the obvious failure of SSL connections
2) a strange race condition that I assume (because I'm not threading
anything) is happening due to non blocking IO on the sockets?

Any help is greatly appreciated.

--Jeff Curley
Sony Computer Entertainment America
Senior Programmer
(858) 824-5692
Received on 2008-11-25

This message: [ Message body ]
Next message: Brian Dessent: "Re: Unknown SSL protocol error in connection"
Previous message: Jeff_Curley_at_playstation.sony.com: "Re: Unknown SSL protocol error in connection"
In reply to: Jeff_Curley_at_playstation.sony.com: "Re: Unknown SSL protocol error in connection"
Next in thread: Brian Dessent: "Re: Unknown SSL protocol error in connection"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]