curl-library
Re: problems connecting to HTTPS server
Date: Mon, 22 Oct 2001 23:37:19 +0000
more info... I think this could very well be a bug in the libcurl library!!.
Why do I say this. Well I did the following.
1. Using openssl comand line I connected via http-tunnel to the site in
question - I have included the results below.
2. I donwloaded Pavuk and tested that through the firewall, against the same
site. pavuk tested ok
From these tests I conclude:
a) The problem is not with openssl lib. The openssl command line and libcurl
have been linked against the same openssl lib.
b) There is a problem in libcurl. Pavuk and openssl via http-tunnel were
able to establish a ssl connection i.e. complete the ssl protocol handshake
and in pavuks case, complete the download. libcurl was unable to complete
the protocol handshake.
c) Could it be that libcurl dose not recognise:
SSL-Session:
Protocol : TLSv1
curl when invoked in ssl2-3 mode results in:
eg 1. curl: (35) SSL: error:140770FC:SSL
routines:SSL23_GET_SERVER_HELLO:unknown protocol
curl when invoked in ssl-3 mode results in:
eg 2. curl: (35) SSL: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
version number
Could it be that curl checks for SSL protocol (eg 1) but dosn't recognise
TLS when forced down the ssl-3 path dosn't recognise the version v1 (eg 2)?
Could the fix be as simple as allowing libcurl to recognise TLSv1 as SSLv3?
i.e just an if then else ?
NB: I have a work around for this problem in the form of pavuk, but my
personal preference is to use libcurl, so I would like to see this problem
fixed. I will therefore endevour to run a few more tests to confirm the
above hypothesis.
John
DETAILS 1. ---------------------------------------------------------
C:\tmp>openssl
OpenSSL> s_client -port 443
Loading 'screen' into random state - done
CONNECTED(000000E8)
depth=1 /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign
International Server CA - Class 3/OU=www.verisign.com/CP
S Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
.........
---
Server certificate
-----BEGIN CERTIFICATE-----
.....
-----END CERTIFICATE-----
subject=/C=AU/ST=New South Wales/L=Sydney/OU=Terms of use at
www.esign.com.au/RPA (c)00 /OU=Authenticated by eSign Austr
alia Limited/OU=Member, VeriSign Trust Network/O=Commmonwealth Bank Of
Australia/OU=eComm/CN=www.makingmoneyhappen.commb
ank.com.au
issuer=/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International
Server CA - Class 3/OU=www.verisign.com/CPS
Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
---
No client certificate CA names sent
---
SSL handshake has read 2788 bytes and written 312 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: ......
Session-ID-ctx:
Master-Key: ....
Key-Arg : None
Start Time: 1003753039
Timeout : 300 (sec)
Verify return code: 0 (ok)
DETAILS 2. -----------------------------------------------------------
C:\tmp\pavuk>pavuk -mode singlepage -ssl_proxy xxx.xxx.xxx.xxx:8080
-http_proxy_user **** -http_proxy_pass *****
https://www.makingmoneyhappen.commbank.com.au -debug -debug_level
protos,protoc
URL: 1(0) of 1 https://www.makingmoneyhappen.commbank.com.au/
File redirect
download: OK
URL: 2(0) of 25
https://www.makingmoneyhappen.commbank.com.au/inc/common.css
transfering "robots.txt"
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
Received on 2001-10-23