On Thu, Dec 11, 2014 at 09:56:59PM -0700, Rob Sharkey wrote:
> The current system does have OpenSSL installed, version OpenSSL 0.9.8k 25 Mar
> 2009. Is there a way to repoint curl and libcurl at OpenSSL instead of GNUTLS?

This would mean rebuilding libcurl.

> This system does not have curl-config included.

It's in the libcurl-devel package, which isn't installed by default. It's also
not relevant here.

> The actual error during connection testing is;
>
> curl: (35) gnutls_handshake() failed: A TLS fatal alert has been received.
>
> The puzzling thing is that every once in a while it works and a connection goes
> through, about once every six or seven tries.

Could it be talking to load balancer that sends the occasional request to a
back-end running a different TLS version?

> Hello All, hope this is the right place for this, if not please kindly tell me
> off..
>
> We’ve recently fallen into a situation where we desperately needs to update an
> older version of ‘curl & libcurl’ on embedded Mandriva 2008.1 systems (no GUI/X
> windows) they do have ‘urpmi’ , these systems do card processing and recently
> got new certificates and are now failing (sha-1 to sha-2 change).
>
> It seems to be that the gnutls is the actual piece that’s failing but that is
> what is bundled with the version we have. Newer versions seem to use OpenSSL
> and not gnutls.
>
> We’ve tried several time to update curl and libcurl but ‘urpmi’ gets removed
> during the removal of the existing ‘libcurl’ so installing the newer version
> becomes impossible without ‘urpmi’, tried just copying files into the system
> but that causes kernel faults.

Trying to update a 6 year old system with urpmi isn't going to work unless you
upgrade the entire system. There are just too many incompatible dependencies. Your
best bet if you want to avoid that is to compile a newer version of either
GnuTLS and/or curl yourself, on that system. Unfortunately, GnuTLS has had two
SONAME bumps since your version so you can't just recompile the latest version
and drop it into place. What might work is manually installing the Mandriva
2010.0 (or 2011) libgnutls26 RPM, if that version solves this problem. But,
that version is still not going to have any security fixes made in the last 4
years.

Your best bet is probably to compile your own GnuTLS (or OpenSSL) and curl from
the latest sources and install it in /usr/local/bin on your machine. That will
get you all the latest security fixes and bug fixes, and isn't that difficult
to do.

> Current version installed;
>
> curl 7.19.4 (i586-mandriva-linux-gnu) libcurl/7.19.4 GnuTLS/2.6.4 zlib/1.2.3
> c-ares/1.6.0 libidn/1.13 libssh2/1.0
>
> Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp
>
> Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz
>
>
>
> Version we would like to get to atleast;
>
> curl 7.21.7 (i586-mandriva-linux-gnu) libcurl/7.21.7 OpenSSL/1.0.0d zlib/1.2.5
> libidn/1.22 libssh2/1.2.9
>
> Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3
> pop3s rtsp scp sftp smtp smtps telnet tftp
>
> Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz
>
>
>
> Any thoughts would be truly appreciated.
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-12-12