Bugs item #3469471, was opened at 2012-01-04 08:45
Message generated for change (Tracker Item Submitted) made by
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=3469471&group_id=976

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: https
Group: bad behaviour
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Ian Thomas ()
Assigned to: Daniel Stenberg (bagder)
Summary: SSL23_GET_SERVER_HELLO when connecting to OpenSSL 1.0.0

Initial Comment:
Appologies for opening a new bug, but I couldn't find a way of editing the existing bug report for this, which is https://sourceforge.net/tracker/index.php?func=detail&aid=3165773&group_id=976&atid=100976

I have worked around this by upgrading the OpenSSL client to 1.0.0 (and recompiling curl to pick up the new version of OpenSSL) and would recommend other people do the same, but I'm recording as much information as I've gathered here in the hope that it will help anyone with similar problems in the future, or who is unable to upgrade the client.

I have been able to reproduce this bug, connecting from an OpenSSL/0.9.8o client to an OpenSSL/1.0.0d server.

Run on client:
curl --version
curl 7.18.2 (x86_64-pc-linux-gnu) libcurl/7.18.2 OpenSSL/0.9.8o zlib/1.2.3
Protocols: tftp ftp telnet dict http file https ftps
Features: Largefile NTLM SSL libz

curl -k https://www.example.com/ --trace -
== Info: About to connect() to www.example.com port 443 (#0)
== Info: Trying 10.20.30.40... == Info: connected
== Info: Connected to www.example.com (10.20.30.40) port 443 (#0)
== Info: successfully set certificate verify locations:
== Info: CAfile: none
  CApath: /etc/ssl/certs
== Info: SSLv3, TLS handshake, Client hello (1):
=> Send SSL data, 141 bytes (0x8d)
(removed)
== Info: error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112)
== Info: Closing connection #0
curl: (35) error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112)

I am also able to reproduce it on clients running 0.9.8j, 0.9.8k and 0.9.8n but not 0.9.8g
The problem does NOT occur if you pass curl the -sslv3 parameter, it only seems to apply to TLS v1

Therefore it looks like the problem was introduced with OpenSSL 0.9.8h, i or j.

Looking at the changelog for these versions, I think the most likely cause is a change introduced in OpenSSL 0.9.8j to "Enable TLS extensions by default". Interestingly their is an item in the 1.0.0 changelog that says "Add initial support for TLS extensions", which might explain why 1.0 versions work as a client.

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=3469471&group_id=976
Received on 2012-01-04