Re: SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
Date: Sun, 3 May 2020 03:17:37 -0400
On 4/27/2020 3:27 PM, Tobias Sette via curl-users wrote:
> Hi. I'm getting `SSL routines:ssl3_read_bytes:sslv3 alert handshake
> failure` like in:
>
> ```console
> $ curl --location 'https://www.upward.net/'
> curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert
> handshake failure
> ```
>
> ```console
> $ curl --version
> curl 7.68.0 (x86_64-pc-linux-gnu) libcurl/7.68.0 OpenSSL/1.1.1f
> zlib/1.2.11 brotli/1.0.7 libidn2/2.3.0 libpsl/0.21.0 (+libidn2/2.3.0)
> libssh2/1.8.0 nghttp2/1.40.0 librtmp/2.3
> Release-Date: 2020-01-08
> Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps
> pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
> Features: AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos
> Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets
> ```
>
> However, the request works in another machine with a previous curl version:
> ```console
> $ curl -v --location 'https://www.upward.net/'
> * Trying 67.227.172.39...
> * TCP_NODELAY set
> * Connected towww.upward.net (67.227.172.39) port 443 (#0)
> * ALPN, offering h2
> * ALPN, offering http/1.1
> * successfully set certificate verify locations:
> * CAfile: /etc/ssl/certs/ca-certificates.crt
> CApath: /etc/ssl/certs
> * TLSv1.3 (OUT), TLS handshake, Client hello (1):
> * TLSv1.3 (IN), TLS handshake, Server hello (2):
> * TLSv1.2 (IN), TLS handshake, Certificate (11):
> * TLSv1.2 (IN), TLS handshake, Server finished (14):
> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
> * TLSv1.2 (OUT), TLS change cipher, Client hello (1):
> * TLSv1.2 (OUT), TLS handshake, Finished (20):
> * TLSv1.2 (IN), TLS handshake, Finished (20):
> * SSL connection using TLSv1.2 / AES128-GCM-SHA256
> * ALPN, server did not agree to a protocol
> * Server certificate:
> * subject: OU=Domain Control Validated; CN=*.upward.net
> * start date: Oct 1 19:35:26 2019 GMT
> * expire date: Oct 1 19:35:26 2021 GMT
> * subjectAltName: host "www.upward.net" matched cert's "*.upward.net"
> * issuer: C=US; ST=Arizona; L=Scottsdale; O=GoDaddy.com, Inc.;
> OU=http://certs.godaddy.com/repository/; CN=Go Daddy Secure Certificate
> Authority - G2
> * SSL certificate verify ok.
>> GET / HTTP/1.1
>> Host:www.upward.net
>> User-Agent: curl/7.58.0
>> Accept: */*
>>
> < HTTP/1.1 200 OK
> < Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9
> PHP/5.4.16
> < Cache-Control: max-age=0, no-cache, no-store, must-revalidate
> < Content-Type: text/html; charset=UTF-8
> < Date: Mon, 27 Apr 2020 19:24:52 GMT
> < Expires: Wed, 11 Jan 1984 05:00:00 GMT
> < Pragma: no-cache
> < Accept-Ranges: bytes
> < Set-Cookie: X-Mapping-mekbfdgo=8329592ED46A049589C98F1F7BBDEC41; path=/
> < Last-Modified: Mon, 06 Apr 2020 23:53:11 GMT
> < X-Frame-Options: ALLOWALL
> < Content-Length: 5540
> <
> <!doctype html><html lang="en">
> [...]
> ```
>
> ```console
> $ curl --version
> curl 7.58.0 (x86_64-pc-linux-gnu) libcurl/7.58.0 OpenSSL/1.1.1
> zlib/1.2.11 libidn2/2.0.4 libpsl/0.19.1 (+libidn2/2.0.4) nghttp2/1.30.0
> librtmp/2.3
> Release-Date: 2018-01-24
> Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps
> pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp
> Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM
> NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL
> ```
>
> So, I've tried a lot of combinations that resulted in the command `curl
> -v --no-alpn --no-npn --tlsv1.2 --tls-max 1.2 --ciphers
> AES128-GCM-SHA256 'https://www.upward.net/'`, but it didn't work.
I can't reproduce that. Run the command that fails in verbose mode. Try
other HTTPS URLs. Also monitor in Wireshark.
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2020-05-03