Re: error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol
Date: Sat, 5 Mar 2016 17:31:18 -0500
On 3/1/2016 6:09 AM, Pa1 wrote:
> We are trying to send POST request to an https url using libcurl. The
> remote https server only accepts SSLv3 & TLS 1.0.
> Our libcurl client always tries to initiate the request with TLS 1.2
> and fails the handshake.
> I tried with below option to force protocol & cipher manually.
> curl_easy_setopt(m_pCurl, CURLOPT_SSLVERSION,CURL_SSLVERSION_SSLv3);
> curl_easy_setopt(m_pCurl, CURLOPT_SSL_CIPHER_LIST, (char*)"SSLv3");
> This works fine on Linux64, but on AIX machine there is no effect. It
> still shows the same handshake failure. On windows64, without above
> enforcement itself it works.
> * About to connect() to testing.com port 443 (#4)
> * Trying 184.108.40.206...
> * Adding handle: conn: 0x114c5ad70
> * Adding handle: send: 0
> * Adding handle: recv: 0
> * Curl_addHandleToPipeline: length: 1
> * - Conn 4 (0x114c5ad70) send_pipe: 1, recv_pipe: 0
> * Connected to testing.com (220.127.116.11) port 443 (#4)
> * successfully set certificate verify locations:
> * CAfile: /home/csiqueir/s.crt
> CApath: none
> * error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol
> * Closing connection 4
> Above is the debug verbose log we get during failure. I captured the
> https traffic, Client starts with TLS1.2 Hello, Server with SSLv3 and
> then Client fails the handshake as attached files.
> versions are -
> libcurl - 7.30.0_K
> openssl - 1.0.1_M
> Can anybody help me out with this issue ? I'm stuck with this almost
> from 1 month.
> Any pointers would be great.
As far as I know you shouldn't have to set the cipher list to SSLv3 if
you've set the version. Also, the cipher names differ depending on which
backend you're using, and cipher names may not even be supported.
Check which SSL backend libcurl is using on AIX, that can be as simple
as printf(curl_version()); it may not support the protocol or cipher
that you want. And try using the curl tool instead of libcurl to see if
that works. See the SSL backend curl is using with curl -V, it may be
different than libcurl's if you have more than one version.
curl --sslv3 https://website
curl --tlsv1.0 https://website
Also in Wireshark monitor a successful connection to see how it's
negotiated and which cipher is used. I took a look at your wireshark and
that is the type of hello you see in when no protocol is specified. If a
protocol is specified then in OpenSSL it will send your specific
protocol in the record layer and handshake and both are the same. In
other words if --sslv3 both will be 0x300 and if --tlsv1.0 both will be
List admin: https://cool.haxx.se/list/listinfo/curl-library
Received on 2016-03-05