cURL / Mailing Lists / curl-library / Single Mail

curl-library

Unknown SSL protocol error in connection

From: <Jeff_Curley_at_playstation.sony.com>
Date: Mon, 24 Nov 2008 15:49:32 -0800

I'm new to OpenSLL so I apologize if I ask something trivial of the list.

I have libcurl and OpenSSL built on the CellOS but I'm having problem when
I try to use SSL (normal HTTP works).

command line: --trace-ascii -k --cacert /app_home/mycert.pem --url
https://www.fortify.net/sslcheck.html

tty:
== Info: Trying 64.202.169.234... == Info: connected
== Info: Connected to www.fortify.net (64.202.169.234) port 443 (#0)
== Info: libcurl is now using a weak random seed!
== Info: successfully set certificate verify locations:
== Info: CAfile: /app_home/cakey.pem
  CApath: none
== Info: SSLv3, TLS handshake, Client hello (1):
=> Send SSL data, 95 bytes (0x5f)
0000: ...[..D.s.......6..5W.7.b.....K..~)..\..4.9.8.5.............3.2.
0040: /.E.D.A........................
== Info: Unknown SSL protocol error in connection to www.fortify.net:443
== Info: Closing connection #0
curl: (35) Unknown SSL protocol error in connection to www.fortify.net:443

additionally, I notice if I set a break point the function int
ssl23_connect(SSL *s)

I get different TTY as if there is a race condition in the process
tty:
== Info: Trying 64.202.169.234... == Info: connected
== Info: Connected to www.fortify.net (64.202.169.234) port 443 (#0)
== Info: libcurl is now using a weak random seed!
== Info: successfully set certificate verify locations:
== Info: CAfile: /app_home/mycert.pem
  CApath: none
== Info: SSLv3, TLS handshake, Client hello (1):
=> Send SSL data, 95 bytes (0x5f)
0000: ...[..D.tF...w....!.2......^...tJ..A....4.9.8.5.............3.2.
0040: /.E.D.A........................
== Info: SSLv3, TLS handshake, Server hello (2):
<= Recv SSL data, 74 bytes (0x4a)
0000: ...F..I+<x.N=!.......G+P.%{..U&u8.3... .Z*.Cr..sh.....R...c.....
0040: m.O~....9.
== Info: SSLv3, TLS handshake, CERT (11):
<= Recv SSL data, 3788 bytes (0xecc)
0000: ..........0...0............,:0...*.H........0..1.0...U....US1.0.
0040: ..U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.1
0080: 301..U...*http://certificates.godaddy.com/repository100...U...'G
00c0: o Daddy Secure Certification Authority1.0...U....079692870...081
0100: 123033003Z..100104061709Z0W1.0...U....www.fortify.net1.0...U....
0140: www.fortify.net1!0...U....Domain Control Validated0..0...*.H....
0180: ........0............%:...q..H..k.......^'. .w..ur04............
01c0: 1.AJf..........g.....g.....o."........>X.S...4B.4.........4...0.
0200: .Y.vE.G..s"c"...........0...0...U.......0....0...U.%..0...+.....
0240: ....+.......0...U...........02..U...+0)0'.%.#.!http://crl.godadd
0280: y.com/gds1-0.crl0S..U. .L0J0H..`.H...m....0907..+........+http:/
02c0: /certificates.godaddy.com/repository/0....+........t0r0$..+.....
0300: 0...http://ocsp.godaddy.com/0J..+.....0..>http://certificates.go
0340: daddy.com/repository/gd_intermediate.crt0...U.#..0.....a2.lE....
0380: _...v.h..0'..U... 0...www.fortify.net..fortify.net0...U.......X.
03c0: >...3..9.....[..C0...*.H..............P(...U....%.%+..up......,.
0400: .b1O..NUKo..d8.{*.L...a...vhF..M.f..^.o9w....#.>|.d.,...8....`..
0440: .....P..Le......Yq.eD.E.R....;=.`..@.|..H.7-"\?. ;._.s...y..%...
0480: ...5.I.U.......!HIKb}...>"..]...M.....6.\~T,..u1b..<...|.!Y..c..
04c0: ..6......d.K.zde..@[...............vt...0...0............0...*.H
0500: ........0c1.0...U....US1!0...U....The Go Daddy Group, Inc.110/..
0540: U...(Go Daddy Class 2 Certification Authority0...061116015437Z..
0580: 261116015437Z0..1.0...U....US1.0...U....Arizona1.0...U....Scotts
05c0: dale1.0...U....GoDaddy.com, Inc.1301..U...*http://certificates.g
0600: odaddy.com/repository100...U...'Go Daddy Secure Certification Au
0640: thority1.0...U....079692870.."0...*.H.............0.........-...
0680: .&L.25._.Y.Z.a.Y;pc...=.*..3.y.:.<0#...0.....=.T......%.!.e)~5..
06c0: T...29.&U.....X.......*..B...?.......R.if....].,f..k...QJ./H..u.
0700: .)...fm.....x|........z....%.....enj..DSp0...+X+=.tJ..Q....L'Xk.
0740: 5....1......6.....:.%..I...g.E....9.6..~.7...q..t0.....?..O.....
0780: ...20...0...U........a2.lE...._...v.h..0...U.#..0.........L.q.a.
07c0: =....j..0...U.......0.......03..+........'0%0#..+.....0...http:/
0800: /ocsp.godaddy.com0F..U...?0=0;.9.7.5http://certificates.godaddy.
0840: com/repository/gdroot.crl0K..U. .D0B0@..U. .0806..+........*http
0880: ://certificates.godaddy.com/repository0...U...........0...*.H...
08c0: ..................g.f...:.P..r.Jt.S.7.DI...k3....V..0.<.2!{....$
0900: ...F.%#..g...o.]{z...X*...!.Z...F...c./..))..r,).7.'.O.h.!......
0940: ....S....Y..;...$I.....H..E.:6o.E.E.A...DN>.tv...U,.........u..
0980: ..L..n..=..q...Q@"(I..K..4.....Z..6d.5oown...P.^..S..#c.......c:
09c0: ..h...5.S....0...0..d.........0...*.H........0..1$0"..U....ValiC
0a00: ert Validation Network1.0...U....ValiCert, Inc.1503..U...,ValiCe
0a40: rt Class 2 Policy Validation Authority1!0...U....http://www.vali
0a80: cert.com/1 0...*.H........info_at_valicert.com0...040629170620Z..24
0ac0: 0629170620Z0c1.0...U....US1!0...U....The Go Daddy Group, Inc.110
0b00: /..U...(Go Daddy Class 2 Certification Authority0.. 0...*.H.....
0b40: ........0............W.I.[.._H.......g..eh.Wq.^w...I.p.=V.c.o...
0b80: .?.T"T......u=K.w.>x.... k/j+...~......E'o.7X..&..-.....r6N..?
0bc0: e...*n]............:.....-..._.=.....\.e8.E...``t.A.rb.b..o_.B.
0c00: .Qe..#.j.x..M....Z..@........^s..w...y....g.....X.D{.>b(_.A.SX.
0c40: .~8t....i...t...........0...0...U............L.q.a.=....j..0....
0c80: U.#...0........0..1$0"..U....ValiCert Validation Network1.0...U.
0cc0: ...ValiCert, Inc.1503..U...,ValiCert Class 2 Policy Validation A
0d00: uthority1!0...U....http://www.valicert.com/1 0...*.H........info
0d40: @valicert.com...0...U.......0....03..+........'0%0#..+.....0...h
0d80: ttp://ocsp.godaddy.com0D..U...=0;09.7.5.3http://certificates.god
0dc0: addy.com/repository/root.crl0K..U. .D0B0@..U. .0806..+........*h
0e00: ttp://certificates.godaddy.com/repository0...U...........0...*.H
0e40: .............@........BZD....F.........X....W.q,H...y...5..N.X..
0e80: ...........xD.....vze..m.......G>q.wK..w..Vk.K.....#.Q..L.5.F~9.
0ec0: u...)..9.OUg
== Info: SSLv3, TLS alert, Server hello (2):
=> Send SSL data, 2 bytes (0x2)
0000: .0
== Info: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
== Info: Closing connection #0
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

The certificate I am using I generated with openssl by following these
directions:
http://www.madboa.com/geek/openssl/#cert-self

so although it is self signed, I am under the impression the client should
be OK with this and should be able to continue.

So it looks like I am dealing with 2 issues.
1) the obvious failure of SSL connections
2) a strange race condition that I assume (because I'm not threading
anything) is happening due to non blocking IO on the sockets?

Any help is greatly appreciated.

--Jeff Curley
Sony Computer Entertainment America
Senior Programmer
(858) 824-5692
Received on 2008-11-25