cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: SSL handshake problems

From: plot.lost <plot.lost_at_gmail.com>
Date: Sun, 10 Feb 2013 10:48:18 +0000

Thanks, don't think I'll worry about actually having SSLv2 support, but
I need to be able to ensure that the connection doesn't freeze/fail if
it comes across a server that still does.

Is there a command line option that basically combines -1 and -3, i.e.
sets the connection to allow SSLv3 or TLSv1, but prevents any attempt to
use SSLv2 - so something that says use SSL or TLS as long as it is not SSLv2

On 10/02/2013 00:06, Federico Figus wrote:
> Likely your OpenSSL has not actived the SSLv2 support (default
> configuration).
> Try
> openssl s_client -ssl2 -connect hostname:port
> if protocol SSLv2 is not supported, it will return: "unknown option -ssl2"
>
>
> On 9 February 2013 23:01, plot.lost <plot.lost_at_gmail.com
> <mailto:plot.lost_at_gmail.com>> wrote:
>
> Can someone advise on what might be the cause of getting a 'SSL
> connection timeout' error if I don't provide either the '-3' or
> '-1' option to the command line.
>
> Without using one of those two options, then the connection gets
> as far as '* SSLv3, TLS handshake, Client hello (1):' and then
> freezes until the timeout happens
>
> By adding -3 or -1 to the command line (to force SSLv3 or TLSv1)
> then the connection works fine,
>
> * SSLv3, TLS handshake, Client hello (1):
> * SSLv3, TLS handshake, Server hello (2):
> * SSLv3, TLS handshake, CERT (11):
> * SSLv3, TLS handshake, Server finished (14):
> * SSLv3, TLS handshake, Client key exchange (16):
> * SSLv3, TLS change cipher, Client hello (1):
> * SSLv3, TLS handshake, Finished (20):
> * SSLv3, TLS change cipher, Client hello (1):
> * SSLv3, TLS handshake, Finished (20):
> * SSL connection using RC4-MD5
>
> By adding -2 to force SSLv2, the connection fails (as expected)
>
> * SSLv2, Client hello (1):
> * Unknown SSL protocol error in connection to x.x.x.x:443
>
> What I am concerned about is that if I don't specify -3 or -1,
> then the connection just hangs until the timeout.
>
> This is using curl 7.24.0 with OpenSSL/1.0.1a - I am having
> problems building the lastest version (many of the tests fail, so
> I don't want to use it until I can get all the tests working). Is
> this a known problem or one that someone else may of come across,
> and am I likely to get the same results even once I get the latest
> version built and working?
>
> Thanks for any info on this.
>
>
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-library
> Etiquette: http://curl.haxx.se/mail/etiquette.html
>
>
>
>
> --
> /*Federico Figus*/
>
>
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-library
> Etiquette: http://curl.haxx.se/mail/etiquette.html

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-02-10