curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: SSL connect error

From: Thierry Huchard via curl-library <curl-library_at_lists.haxx.se>
Date: Mon, 13 Dec 2021 15:28:41 +0100

Le 2021-12-13 15:06, Cristian Rodríguez a écrit :
> On Sun, Dec 12, 2021 at 4:24 PM Thierry Huchard via curl-library
> <curl-library_at_lists.haxx.se> wrote:
>
>> But with "--tls-max 1.0" or "--tls-max 1.1", curl can connect to XK90.
>> With "--tls-max 1.2" and "--tls-max 1.3", curl returns the same error
>> described above
>
> ok.. then curl_easy_setopt() CURL_SSLVERSION_TLSv1_1... either the
> target system chokes with openssl's tls negotiation (i.e system is
> hosed) or the most likely scenario is that opennsl refuses to offer
> obsolete ciphersuites or imposes extra constraints when using tls 1.2.
>
> Use the suggested workaround or contact the device manufacturer for a
> firmware update.

I am the maintainer of the canon_pixma backend for Canon scanners, it is
based on Canon binary.
I opened a ticket with them, several months ago, here is the answer
received this morning:

//////////////////////// Canon Europe ///////////////////////////////

RE: Canon Developer Programme New Support Call 00763131
De Canon Developer Support
Date Aujourd’hui 11:38
Corps du courriel

Hi Thierry,

Unfortunately I have not been able to make any progress with your
questions.

Therefore I have to close the support call.

We are sorry we were unable to assist you on this occasion.

Best wishes,
Nick

//////////////////////// End Canon Europe
///////////////////////////////

Ask them to update a firmware, it will be complicated ...


I'll go with this workaround:

| static int proto_tls[] = {
| CURL_SSLVERSION_MAX_DEFAULT,
| CURL_SSLVERSION_MAX_TLSv1_3,
| CURL_SSLVERSION_MAX_TLSv1_2,
| CURL_SSLVERSION_MAX_TLSv1_1,
| CURL_SSLVERSION_MAX_TLSv1_0,
| -1
| };
|
| static int
| escl_tls_protocol_supported(char *url, int proto)
| {
| CURLcode res = CURLE_UNSUPPORTED_PROTOCOL;
| CURL *curl = curl_easy_init();
| if(curl) {
| curl_easy_setopt(curl, CURLOPT_URL, url);
|
| /* ask libcurl to use TLS version 1.0 or later */
| curl_easy_setopt(curl, CURLOPT_SSLVERSION, proto);
| curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
| curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L);
| curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L);
| curl_easy_setopt(curl, CURLOPT_MAXREDIRS, 3L);
| /* Perform the request */
| res = curl_easy_perform(curl);
| curl_easy_cleanup(curl);
| }
| return res;
| }
|
| static int
| escl_is_tls(char * url)
| {
| int tls_version = 0;
| if(!strcmp(type, "_uscans._tcp") ||
| !strcmp(type, "https"))
| {
| while(proto_tls[tls_version] != -1)
| {
| if (escl_tls_protocol_supported(url,
proto_tls[tls_version]) == CURLE_OK)
| {
| DBG(10, "curl tls compatible (%d)\n",
proto_tls[tls_version]);
| break;
| }
| tls_version++;
| }
| if (proto_tls[tls_version] == -1)
| return 0;
| }
| return tls_version;
| }
|

Thank you all for your answers!

Thierry
-- 
Unsubscribe: https://lists.haxx.se/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2021-12-13