cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: libcurl and SSLv2

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Sat, 3 Jan 2009 00:26:03 +0100 (CET)

On Fri, 2 Jan 2009, Lenny Rachitsky wrote:

> I've run into an interesting problem. When trying to connect to the domain
> www.hottopic.com, which recently disabled SSLv2 support, I get the
> following:

> * SSLv3, TLS handshake, Client hello (1):
> * Unknown SSL protocol error in connection to www.hottopic.com:443
> * Closing connection #0
> curl: (35) Unknown SSL protocol error in connection to www.hottopic.com:443

What if you try to enforce SSLv3 or TLSv1? Eh, never mind that I tried it
myself with "curl 7.18.2 (i486-pc-linux-gnu) libcurl/7.18.2 OpenSSL/0.9.8g"
(and with curl 7.19.3-CVS) and it fails with that command line no matter what
I try!

> curl 7.19.1-test (i686-pc-linux-gnu) libcurl/7.19.1-test OpenSSL/0.9.7a

> When running this same command with an older version of openssl, it works
> fine:

> curl 7.19.2 (i686-pc-linux-gnu) libcurl/7.19.2 OpenSSL/0.9.7a zlib/1.1.4

Surely you did something wrong here, since both lines show the same OpenSSL
versions!?

> Has anyone seen this kind of behavior before? I would bet most of you if you
> ran this command would see the error, or one like it, as I presume most of
> you have the latest version of openssl and libcurl installed.
>
> I would have to have to downgrade openssl versions, but at this point that
> seems to be my only choice.

It seems like an OpenSSL bug/flaw to me!

I tried the same thing with curl built to use GnuTLS 2.4.2 instead, and that
too fails by default ("curl: (35) gnutls_handshake() failed: A TLS packet with
unexpected length was received.") but if I enforce SSLv3 it proceeds fine.

I'd say it looks like the server is doing a weird SSL handshake that the SSL
libs don't like, but GnuTLS and older OpenSSL versions manage to get passed
it...

-- 
  / daniel.haxx.se
Received on 2009-01-03