cURL / Mailing Lists / curl-library / Single Mail

curl-library

curl 7.19.5 with GnuTLS/2.8.3 fails SSL (AES256-SHA) unless SSLv3 explicitly set

From: Octavius Gracchus <hucke_at_cynico.net>
Date: Sun, 20 Jun 2010 16:56:12 -0500

As a relative newcomer to curl, I had a bit of frustration today trying to
connect to api.constantcontact.com (a mailing list management service used by
one of my employers). No matter what options I set, the response length was
always zero, and nothing showed up in the error log. (I did successfully
connect to another HTTPS site, which led me to think it was something to do with
SSL version or cipher lists).

Eventually I found that a call to curl_setopt($c, CURLOPT_SSLVERSION, 3) is
required; after that it performs correctly.

Without this step I get (in curl_error()):
     GnuTLS recv error (-9): A TLS packet with unexpected length was received.

uname -a output: (on Ubuntu 9.10)
     Linux azathoth 2.6.31-20-generic #58-Ubuntu SMP Fri Mar 12 04:38:19 UTC 2010
     x86_64 GNU/Linux

php -v gives:
     PHP 5.2.8 (cli) (built: Apr 8 2010 13:01:28)

curl_version() output:
     [version_number] => 463621
     [age] => 3
     [features] => 1597
     [ssl_version_number] => 0 ## this is what caught my eye...
     [version] => 7.19.5
     [host] => x86_64-pc-linux-gnu
     [ssl_version] => GnuTLS/2.8.3
     [libz_version] => 1.2.3.3
     [protocols] => Array (
            [0] => tftp [1] => ftp [2] => telnet [3] => dict [4] => ldap
               [5] => ldaps [6] => http [7] => file [8] => https [9] => ftps
         )

suggested fix: if linked with GnuTLS, activate SSLv3 automatically.

Apologies if this has been discussed / fixed already, I joined this mailing list
only minutes ago.

==Test case #0 (control case) -- using command-line curl -v (successfully): ==

[...]
* SSL connection using AES256-SHA
* Server certificate: [...]
* expire date: 2011-07-03 07:59:01 GMT
* common name: api.constantcontact.com (matched)
* issuer: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
* SSL certificate verify ok.

== Test case #1 - no special setup; default CURLOPT_SSLVERSION.==

curl_error() gives:
     GnuTLS recv error (-9): A TLS packet with unexpected length was received.

Various CURLOPT_CIPER_LIST permutations I tried, like SHA, AES256-SHA, eNULL...
all gave this same result. I even put some complete nonsense into CIPHER_LIST
once just to see if it would choke and complain, but the same error occurred.

curl_getinfo() reports:
     [url] => https://api.constantcontact.com/ws/customers/client-name/lists
     [content_type] => text/html;charset=utf-8
     [http_code] => 401
     [header_size] => 442
     [request_size] => 305
     [filetime] => -1
     [ssl_verify_result] => 0
     [redirect_count] => 1
     [total_time] => 0.802453
     [namelookup_time] => 6.4E-5
     [connect_time] => 0.04226
     [pretransfer_time] => 0.127979
     [size_upload] => 0
     [size_download] => 0
     [speed_download] => 0
     [speed_upload] => 0
     [download_content_length] => 1145
     [upload_content_length] => -1
     [starttransfer_time] => 0.315998
     [redirect_time] => 0.486443

== Test case #2 - setting SSLv2 ==
curl_setopt($c, CURLOPT_SSLVERSION, 2);
curl_error() reports: GnuTLS does not support SSLv2

== Test case #3 - setting SSLv3 ==
curl_setopt($c, CURLOPT_SSLVERSION, 3)
SUCCESS: curl_getinfo() reports:
     [content_type] => application/atom+xml;charset=UTF-8
     [http_code] => 200
     [size_download] => 10089
        etc.

-- 
Matt Hucke (hucke_at_cynico.net), programmer.
Graveyards of Illinois - http://graveyards.com/
   "Time is an illusion.  Lunchtime, doubly so." - D. Adams
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2010-06-20