cURL cURL > Mailing List > Monthly Index > Single Mail

curl-tracker Archives

[curl:bugs] #1430 "Unknown SSL protocol error" - regression in curl 7.35 and later

From: Tigran Gabrielyan <tigrangab_at_users.sf.net>
Date: Sat, 04 Oct 2014 00:56:23 +0000

I have a similar issue with 7.38.0.

With 7.38.0 I get the following SSL error, however, with previous versions, I get the correct response back (an unauthorized message).

curl -v -XPOST https://api.demo.globalgatewaye4.firstdata.com/transaction/
* Hostname was NOT found in DNS cache
* Trying 54.191.215.216...
* Connected to api.demo.globalgatewaye4.firstdata.com (54.191.215.216) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS alert, Server hello (2):
* error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
* Closing connection 0
curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

---
** [bugs:#1430] "Unknown SSL protocol error" - regression in curl 7.35 and later**
**Status:** open
**Labels:** SSL/TLS 
**Created:** Fri Oct 03, 2014 09:37 PM UTC by Nowaker
**Last Updated:** Fri Oct 03, 2014 09:37 PM UTC
**Owner:** nobody
https://jira.atlashost.eu/ doesn't work with curl, but works in any browser, or with `wget`.
```
root_at_nwkr-desktop ~ # curl --version
curl 7.38.0 (x86_64-unknown-linux-gnu) libcurl/7.38.0 OpenSSL/1.0.1i zlib/1.2.8 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp 
Features: AsynchDNS IPv6 Largefile GSS-API SPNEGO NTLM NTLM_WB SSL libz TLS-SRP 
root@nwkr-desktop ~ # curl https://jira.atlashost.eu/
curl: (35) Unknown SSL protocol error in connection to jira.atlashost.eu:443
```
Last version that works:
```
root_at_nwkr-desktop ~ # curl --version 
curl 7.34.0 (x86_64-unknown-linux-gnu) libcurl/7.34.0 OpenSSL/1.0.1i zlib/1.2.8 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp 
Features: AsynchDNS GSS-Negotiate IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP 
root@nwkr-desktop ~ # curl -I https://jira.atlashost.eu/ 2>/dev/null | head -n 1
HTTP/1.1 500 Internal Server Error
```
OpenSSL string with ciphers: 
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!MD5:!SSLv2:!aNULL:!eNULL:!LOW:!3DES:!EXP:!PSK:!SRP:!DSS
In nodejs 0.10 this string results in only TLS_RSA_WITH_RC4_128_SHA being available. I force-disabled weaker ciphers, so it's not possible to use them at all (e.g. TLS_RSA_WITH_DES_CBC_SHA). My guess is curl has those weak ciphers on its accept list but apparently doesn't have the TLS_RSA_WITH_RC4_128_SHA. This cipher is OK (but not perfect) and if it's the only supported cipher by the server, curl should stick to it.
Consult SSL Labs: https://www.ssllabs.com/ssltest/analyze.html?d=jira.atlashost.eu
Let me know how I can help you.
---
Sent from sourceforge.net because curl-tracker@cool.haxx.se is subscribed to https://sourceforge.net/p/curl/bugs/
To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/curl/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.
Received on 2014-10-04

These mail archives are generated by hypermail.