Re: libcurl and SSLv2
Date: Sat, 3 Jan 2009 00:26:03 +0100 (CET)
On Fri, 2 Jan 2009, Lenny Rachitsky wrote:
> I've run into an interesting problem. When trying to connect to the domain
> www.hottopic.com, which recently disabled SSLv2 support, I get the
> * SSLv3, TLS handshake, Client hello (1):
> * Unknown SSL protocol error in connection to www.hottopic.com:443
> * Closing connection #0
> curl: (35) Unknown SSL protocol error in connection to www.hottopic.com:443
What if you try to enforce SSLv3 or TLSv1? Eh, never mind that I tried it
myself with "curl 7.18.2 (i486-pc-linux-gnu) libcurl/7.18.2 OpenSSL/0.9.8g"
(and with curl 7.19.3-CVS) and it fails with that command line no matter what
> curl 7.19.1-test (i686-pc-linux-gnu) libcurl/7.19.1-test OpenSSL/0.9.7a
> When running this same command with an older version of openssl, it works
> curl 7.19.2 (i686-pc-linux-gnu) libcurl/7.19.2 OpenSSL/0.9.7a zlib/1.1.4
Surely you did something wrong here, since both lines show the same OpenSSL
> Has anyone seen this kind of behavior before? I would bet most of you if you
> ran this command would see the error, or one like it, as I presume most of
> you have the latest version of openssl and libcurl installed.
> I would have to have to downgrade openssl versions, but at this point that
> seems to be my only choice.
It seems like an OpenSSL bug/flaw to me!
I tried the same thing with curl built to use GnuTLS 2.4.2 instead, and that
too fails by default ("curl: (35) gnutls_handshake() failed: A TLS packet with
unexpected length was received.") but if I enforce SSLv3 it proceeds fine.
I'd say it looks like the server is doing a weird SSL handshake that the SSL
libs don't like, but GnuTLS and older OpenSSL versions manage to get passed
-- / daniel.haxx.seReceived on 2009-01-03