cURL cURL > Mailing List > Monthly Index > Single Mail

curl-tracker Archives

[curl:bugs] #1453 "Unknown SSL protocol error" with curl > 7.34

From: Daniel Stenberg <bagder_at_users.sf.net>
Date: Tue, 25 Nov 2014 08:30:11 +0000

- **status**: open --> pending
- **assigned_to**: Daniel Stenberg
- **Comment**:

This most likely happens because curl disables RC4 by default since it is considered an insecure algorithm. If you want an insecure algorithm in you TLS handshake you must manually enable it with the --ciphers option.

---
** [bugs:#1453] "Unknown SSL protocol error" with curl > 7.34**
**Status:** pending
**Created:** Wed Nov 19, 2014 05:47 PM UTC by Andreas Lamprecht
**Last Updated:** Wed Nov 19, 2014 05:47 PM UTC
**Owner:** Daniel Stenberg
Hi!
I'm having problems with curl version greater that 7.34
It looks like curl > 7.34 has a problem with the server response.
RC4-SHA was the protocol selected by the server if i do not provide any cipher on the command-line
with curl 7.34:
]# /usr/local/curl-7.34/bin/curl -v -v -v --cipher 'RC4-SHA'  --insecure https://keyman.siemens.at/
* Hostname was NOT found in DNS cache
*   Trying 158.226.250.57...
* Adding handle: conn: 0x24f4ec0
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x24f4ec0) send_pipe: 1, recv_pipe: 0
* Connected to keyman.siemens.at (158.226.250.57) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using RC4-SHA
* Server certificate:
*        subject: OU=GMS GO GD AHS DBA; O=Siemens; C=AT; CN=keyman.siemens.at
*        start date: 2014-06-26 08:30:17 GMT
*        expire date: 2015-06-26 08:30:17 GMT
*        issuer: C=DE; O=Siemens; serialNumber=ZZZZZZY7; OU=Copyright (C) Siemens AG 2013 All Rights Reserved; OU=Issuing CA for Siemens non-personalized SSL/TLS-based End Entities; CN=Siemens Issuing CA Intranet Server 2013
*        SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET / HTTP/1.1
with curl 7.39:
# /usr/local/curl-7.39/bin/curl -v -v -v --cipher 'RC4-SHA'  --tlsv1 --insecure https://keyman.siemens.at/
* Hostname was NOT found in DNS cache
*   Trying 158.226.250.57...
* Connected to keyman.siemens.at (158.226.250.57) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol
* Closing connection 0
curl: (35) error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol
If i use curl 7.39 without any ciphers, then i get this:
# /usr/local/curl-7.39/bin/curl -v -v -v  --tlsv1 --insecure https://keyman.siemens.at/
* Hostname was NOT found in DNS cache
*   Trying 158.226.250.57...
* Connected to keyman.siemens.at (158.226.250.57) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to keyman.siemens.at:443
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to keyman.siemens.at:443
I have also done a tcpdump for both requests and attaching it to that message. In both cases the server sends back a server hello done, but curl 7.39 seems not to be able to interpret that server response.
Server software is Windows IIS version 6.0
---
Sent from sourceforge.net because curl-tracker@cool.haxx.se is subscribed to https://sourceforge.net/p/curl/bugs/
To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/curl/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.
Received on 2014-11-25

These mail archives are generated by hypermail.