On Mon, Jul 27, 2015 at 11:51 AM, Daniel Stenberg <daniel_at_haxx.se> wrote:

> On Mon, 27 Jul 2015, Praveen Pvs wrote:
>
> What version of TLS it would be using when i set SSL version to
>> *CURL_SSLVERSION_TLSv1* Will it use only TLS1.0?? will it not
>> auto-negotiates to highest i,e, 1.2
>>
>
> Yes it should, but it should even negotiate to TLS 1.2 by default even
> without that option set. The option is more for setting the lowest
> acceptable level.
>
> When server allowing only TLS1.2 and not allowing TLS1.0, the terminal is
not able to connect to the server. Here is the trace provided by server
team: How can we debug this?

In your earlier mail, you have mentioned "Upgrade to at least 7.34.0, then
ask for CURL_SSLVERSION_TLSv1_2. And make sure you have a TLS lib (version)
that speaks 1.2".

Should we have TLS lib on the terminal that speaks to 1.2 with the current
CURL library version which we are using?? Could you please help

*Trace of failing handshake - when we don't allow TLS 1.0:*
Notice how the client (Terminal) presents itself with ClientHello Version
3.1 = TLS1.0

14:29:03: New TCP connection #2: gbibp9ph1--blueice4n2.emea.ibm.com(33494)
<-> 192.168.162.193(64443)
2 1 0.6400 (0.6400) C>SV3.1(227) Handshake
      ClientHello
        Version 3.1
        random[32]=
          55 77 4a dd 14 85 79 55 04 b3 4c c3 2e 82 96 5e
          85 db d8 e1 30 05 f8 7a c8 1d dd 18 d5 ff 23 4f
        cipher suites
        Unknown value 0xc014
        Unknown value 0xc00a
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA
        TLS_DHE_DSS_WITH_AES_256_CBC_SHA
        TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
        TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
        Unknown value 0xc00f
        Unknown value 0xc005
        TLS_RSA_WITH_AES_256_CBC_SHA
        TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
        Unknown value 0xc012
        Unknown value 0xc008
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        Unknown value 0xc00d
        Unknown value 0xc003
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        Unknown value 0xc013
        Unknown value 0xc009
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA
        TLS_DHE_DSS_WITH_AES_128_CBC_SHA
        Unknown value 0x9a
        Unknown value 0x99
        Unknown value 0x45
        Unknown value 0x44
        Unknown value 0xc00e
        Unknown value 0xc004
        TLS_RSA_WITH_AES_128_CBC_SHA
        Unknown value 0x96
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
        Unknown value 0xc011
        Unknown value 0xc007
        Unknown value 0xc00c
        Unknown value 0xc002
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_RC4_128_MD5
        TLS_DHE_RSA_WITH_DES_CBC_SHA
        TLS_DHE_DSS_WITH_DES_CBC_SHA
        TLS_RSA_WITH_DES_CBC_SHA
        TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
        TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
        TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
        TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
        TLS_RSA_EXPORT_WITH_RC4_40_MD5
        Unknown value 0xff
        compression methods
                unknown value
                  NULL
2 2 0.6400 (0.0000) S>CV3.1(2) Alert
    level fatal
    value handshake_failure
2 0.6401 (0.0000) S>C TCP FIN
2 0.7433 (0.1032) C>S TCP FIN

*Trace of OK handshake when we allow TLS 1.0:*

New TCP connection #1: gbibp9ph1--blueice4n2.emea.ibm.com(47957) <->
192.168.162.193(64443)
1 1 0.8569 (0.8569) C>SV3.1(227) Handshake
      ClientHello
        Version 3.1
        random[32]=
          55 77 48 87 e9 42 d3 1d 58 4a af 28 61 5b 49 02
          0d 24 b1 60 1f fe 2c 22 e4 18 79 16 c9 ba 0b 81
        cipher suites
        Unknown value 0xc014
        Unknown value 0xc00a
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA
        TLS_DHE_DSS_WITH_AES_256_CBC_SHA
        TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
        TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
        Unknown value 0xc00f
        Unknown value 0xc005
        TLS_RSA_WITH_AES_256_CBC_SHA
        TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
        Unknown value 0xc012
        Unknown value 0xc008
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        Unknown value 0xc00d
        Unknown value 0xc003
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        Unknown value 0xc013
        Unknown value 0xc009
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA
        TLS_DHE_DSS_WITH_AES_128_CBC_SHA
        Unknown value 0x9a
        Unknown value 0x99
        Unknown value 0x45
        Unknown value 0x44
        Unknown value 0xc00e
        Unknown value 0xc004
        TLS_RSA_WITH_AES_128_CBC_SHA
        Unknown value 0x96
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
        Unknown value 0xc011
        Unknown value 0xc007
        Unknown value 0xc00c
        Unknown value 0xc002
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_RC4_128_MD5
        TLS_DHE_RSA_WITH_DES_CBC_SHA
        TLS_DHE_DSS_WITH_DES_CBC_SHA
        TLS_RSA_WITH_DES_CBC_SHA
        TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
        TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
        TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
        TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
        TLS_RSA_EXPORT_WITH_RC4_40_MD5
        Unknown value 0xff
        compression methods
                unknown value
                  NULL
1 2 0.8570 (0.0000) S>CV3.1(85) Handshake
      ServerHello
        Version 3.1
        random[32]=
          4a 5a 58 0e 9e 74 4b 77 27 36 ce 19 ff a9 b7 7f
          4b 29 35 d9 94 68 74 11 44 b7 8c 14 27 78 19 0b
        session_id[32]=
          f4 81 39 ec e6 b5 02 0a 06 11 40 93 af dc 53 49
          a7 33 d5 bc af 0b 77 07 2b 3b e8 b4 c0 d1 7c 3a
        cipherSuite TLS_RSA_WITH_AES_128_CBC_SHA
        compressionMethod NULL
1 3 0.8570 (0.0000) S>CV3.1(3242) Handshake
      Certificate
1 4 0.8570 (0.0000) S>CV3.1(4) Handshake
      ServerHelloDone
1 5 0.9485 (0.0915) C>SV3.1(262) Handshake
      ClientKeyExchange
        EncryptedPreMasterSecret[256]=
          3a 57 11 cd ae 0e 11 1f 8e 2b b8 51 1a 11 48 cd
          2d d1 af c7 7d 9a 15 fd 1e d1 29 6e ad b0 d0 7f
          41 dc d0 e4 e1 cf 3f d2 60 25 67 b3 27 d6 b7 93
          a0 ad 3b 51 fe ef 92 36 17 dc b0 3e 20 f4 05 a3
          cd 3d 3f e8 a2 9b d7 99 43 eb b5 57 94 72 b5 99
          d4 20 0a c7 e0 3e 17 01 62 ec b5 65 a9 f8 5a 99
          52 97 23 0d 37 47 63 8e 0d 86 70 30 a2 e4 41 17
          01 da 1b 7d a4 c5 4c 49 e7 f0 c4 db c1 66 ed 09
          45 06 40 1a 6a 75 ec 52 d1 c1 f2 b9 fe e3 fa 0e
          5c 0c 81 10 1f bc 53 d3 50 ac d6 94 6e a5 b4 f1
          af 58 91 b1 a7 d9 7b 50 c4 57 b9 c0 25 50 dc fc
          0f e2 35 fc 07 b8 3c b5 0e c7 9e 5c db 60 a6 9e
          33 e2 56 90 2b d9 7e f8 c5 5c 14 7e 0d a8 1c eb
          a3 ea 02 b0 f6 a0 f8 1d 86 18 72 45 1a 3e e8 6f
          a7 13 3e a8 2a 50 6f d1 21 76 8f 24 8d e7 40 63
          1d 9c 73 2f 74 3b ce dd 84 c7 14 ff 5e d0 8b e6
1 6 0.9485 (0.0000) C>SV3.1(1) ChangeCipherSpec
1 7 0.9485 (0.0000) C>SV3.1(48) Handshake
      Finished
        verify_data[12]=
          74 5d 09 ee e1 ce d7 b0 df c5 1b 3b

1 8 0.9515 (0.0029) S>CV3.1(1) ChangeCipherSpec
1 9 0.9515 (0.0000) S>CV3.1(48) Handshake
      Finished
        verify_data[12]=
          fc 4c 2c 53 7d 73 9f 7a ab 00 c2 aa

1 10 1.0051 (0.0536) C>SV3.1(224) application_data
1 11 2.0090 (1.0038) C>SV3.1(1408) application_data

>
> --
>
> / daniel.haxx.se
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-library
> Etiquette: http://curl.haxx.se/mail/etiquette.html
>

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-07-27