Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: SSL connect error
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Thierry Huchard via curl-library <curl-library_at_lists.haxx.se>
Date: Sun, 12 Dec 2021 20:24:12 +0100
Le 2021-12-09 09:12, Thierry Huchard a écrit :
> Le 2021-12-08 18:03, Dan Fandrich via curl-library a écrit :
>> On Wed, Dec 08, 2021 at 02:53:54PM +0100, Thierry Huchard via
>> curl-library wrote:
>>> I am the maintainer of the sane-escl backend, I have an error on an
>>> https
>>> access on a canon XK90 scanner.
>>> If you have an idea of why and how to bypass it, I'm interested!
>>>
>>> curl_handle = curl_easy_init();
>>> curl_easy_setopt(curl_handle, CURLOPT_URL,
>>> "https://192.168.yyy.xxx:443/eSCL/ScannerCapabilities");
>>> curl_easy_setopt(curl_handle, CURLOPT_SSL_VERIFYPEER, 0L);
>>> curl_easy_setopt(curl_handle, CURLOPT_SSL_VERIFYHOST, 0L);
>>> curl_easy_setopt(curl_handle, CURLOPT_WRITEFUNCTION,
>>> memory_callback_c);
>>> curl_easy_setopt(curl_handle, CURLOPT_WRITEDATA, (void *)var);
>>> curl_easy_setopt(curl_handle, CURLOPT_HEADERFUNCTION,
>>> header_callback);
>>> curl_easy_setopt(curl_handle, CURLOPT_HEADERDATA, (void
>>> *)header);
>>> curl_easy_setopt(curl_handle, CURLOPT_FOLLOWLOCATION, 1L);
>>> curl_easy_setopt(curl_handle, CURLOPT_MAXREDIRS, 3L);
>>> CURLcode res = curl_easy_perform(curl_handle);
>>> if (res != CURLE_OK) {
>>> printf("respond: %s\n", curl_easy_strerror(res)); //
>>> respond: SSL
>>> connect error
>>
>> Could it be similar to Github issue #5356? Namely, the scanner is
>> running
>> years-old firmware that uses a long-obsolete TLS version and OpenSSL
>> is
>> now refusing to talk to it for security reasons? What TLS back-end is
>> your
>> libcurl using? What TLS version does the scanner want to use?
>
> On FreeBSD 12.2-RELEASE, the version of OpenSSL is 1.1.1k and curl is
> 7.73.0
> For the device in question the documentation is not easy to read, the
> ideal would have been in French, I could have arranged with English,
> but Japanese, not possible!
> So I have no information about it, I know that http requests work. I
> would have liked to force the discussion.
> I will test the https connection and switch to http if it fails...
> Thanks for the feedback!
>
> Thierry
Here is the information returned by the user:
* Environment
| $ uname -a
| FreeBSD aquarius-vm.sign.local 12.2-RELEASE-p11 FreeBSD
12.2-RELEASE-p11 r370982 GENERIC amd64
| $ openssl version
| OpenSSL 1.1.1h-freebsd 24 Aug 2021
| $ curl --version
| curl 7.79.1 (amd64-portbld-freebsd12.2) libcurl/7.79.1 OpenSSL/1.1.1h
zlib/1.2.11 libssh2/1.9.0 nghttp2/1.44.0
| Release-Date: 2021-09-22
| Protocols: dict file ftp ftps gopher gophers http https imap imaps
pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
| Features: alt-svc AsynchDNS GSS-API HSTS HTTP2 HTTPS-proxy IPv6
Kerberos Largefile libz NTLM NTLM_WB SPNEGO SSL TLS-SRP UnixSockets
| $
By default, curl fails to connect.
| $ curl -vk https://192.168.0.108/eSCL/ScannerCapabilities
| * Trying 192.168.0.108:443...
| * Connected to 192.168.0.108 (192.168.0.108) port 443 (#0)
| * ALPN, offering h2
| * ALPN, offering http/1.1
| * successfully set certificate verify locations:
| * CAfile: /usr/local/share/certs/ca-root-nss.crt
| * CApath: none
| * TLSv1.3 (OUT), TLS handshake, Client hello (1):
| * TLSv1.3 (IN), TLS alert, handshake failure (552):
| * error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake
failure
| * Closing connection 0
| curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert
handshake failure
But with "--tls-max 1.0" or "--tls-max 1.1", curl can connect to XK90.
With "--tls-max 1.2" and "--tls-max 1.3", curl returns the same error
described above.
| $ curl -vk --tls-max 1.1
https://192.168.0.108/eSCL/ScannerCapabilities
| * Trying 192.168.0.108:443...
| * Connected to 192.168.0.108 (192.168.0.108) port 443 (#0)
| * ALPN, offering h2
| * ALPN, offering http/1.1
| * successfully set certificate verify locations:
| * CAfile: /usr/local/share/certs/ca-root-nss.crt
| * CApath: none
| * TLSv1.1 (OUT), TLS handshake, Client hello (1):
| * TLSv1.1 (IN), TLS handshake, Server hello (2):
| * TLSv1.1 (IN), TLS handshake, Certificate (11):
| * TLSv1.1 (IN), TLS handshake, Server finished (14):
| * TLSv1.1 (OUT), TLS handshake, Client key exchange (16):
| * TLSv1.1 (OUT), TLS change cipher, Change cipher spec (1):
| * TLSv1.1 (OUT), TLS handshake, Finished (20):
| * TLSv1.1 (IN), TLS handshake, Finished (20):
| * SSL connection using TLSv1.1 / AES256-SHA
| * ALPN, server did not agree to a protocol
| * Server certificate:
| * subject: CN=192.168.0.108
| * start date: Jan 1 00:00:00 2019 GMT
| * expire date: Dec 31 23:59:59 2038 GMT
| * issuer: CN=CanonIJProductF8A26DA2A5240001
| * SSL certificate verify result: unable to get local issuer
certificate (20), continuing anyway.
| > GET /eSCL/ScannerCapabilities HTTP/1.1
| > Host: 192.168.0.108
| > User-Agent: curl/7.79.1
| > Accept: */*
| >
| * Mark bundle as not supporting multiuse
| < HTTP/1.1 200 OK
| < MIME-Version: 1.0
| < Transfer-Encoding: chunked
| < Content-Type: text/xml
| < Connection: close
(snip)
| * TLSv1.1 (IN), TLS alert, close notify (256):
| * TLSv1.1 (OUT), TLS alert, close notify (256):
| $
FYI, Firefox (91.3.0esr and 95.0) can connect to XK90 with TLS1.2.
Thierry
Date: Sun, 12 Dec 2021 20:24:12 +0100
Le 2021-12-09 09:12, Thierry Huchard a écrit :
> Le 2021-12-08 18:03, Dan Fandrich via curl-library a écrit :
>> On Wed, Dec 08, 2021 at 02:53:54PM +0100, Thierry Huchard via
>> curl-library wrote:
>>> I am the maintainer of the sane-escl backend, I have an error on an
>>> https
>>> access on a canon XK90 scanner.
>>> If you have an idea of why and how to bypass it, I'm interested!
>>>
>>> curl_handle = curl_easy_init();
>>> curl_easy_setopt(curl_handle, CURLOPT_URL,
>>> "https://192.168.yyy.xxx:443/eSCL/ScannerCapabilities");
>>> curl_easy_setopt(curl_handle, CURLOPT_SSL_VERIFYPEER, 0L);
>>> curl_easy_setopt(curl_handle, CURLOPT_SSL_VERIFYHOST, 0L);
>>> curl_easy_setopt(curl_handle, CURLOPT_WRITEFUNCTION,
>>> memory_callback_c);
>>> curl_easy_setopt(curl_handle, CURLOPT_WRITEDATA, (void *)var);
>>> curl_easy_setopt(curl_handle, CURLOPT_HEADERFUNCTION,
>>> header_callback);
>>> curl_easy_setopt(curl_handle, CURLOPT_HEADERDATA, (void
>>> *)header);
>>> curl_easy_setopt(curl_handle, CURLOPT_FOLLOWLOCATION, 1L);
>>> curl_easy_setopt(curl_handle, CURLOPT_MAXREDIRS, 3L);
>>> CURLcode res = curl_easy_perform(curl_handle);
>>> if (res != CURLE_OK) {
>>> printf("respond: %s\n", curl_easy_strerror(res)); //
>>> respond: SSL
>>> connect error
>>
>> Could it be similar to Github issue #5356? Namely, the scanner is
>> running
>> years-old firmware that uses a long-obsolete TLS version and OpenSSL
>> is
>> now refusing to talk to it for security reasons? What TLS back-end is
>> your
>> libcurl using? What TLS version does the scanner want to use?
>
> On FreeBSD 12.2-RELEASE, the version of OpenSSL is 1.1.1k and curl is
> 7.73.0
> For the device in question the documentation is not easy to read, the
> ideal would have been in French, I could have arranged with English,
> but Japanese, not possible!
> So I have no information about it, I know that http requests work. I
> would have liked to force the discussion.
> I will test the https connection and switch to http if it fails...
> Thanks for the feedback!
>
> Thierry
Here is the information returned by the user:
* Environment
| $ uname -a
| FreeBSD aquarius-vm.sign.local 12.2-RELEASE-p11 FreeBSD
12.2-RELEASE-p11 r370982 GENERIC amd64
| $ openssl version
| OpenSSL 1.1.1h-freebsd 24 Aug 2021
| $ curl --version
| curl 7.79.1 (amd64-portbld-freebsd12.2) libcurl/7.79.1 OpenSSL/1.1.1h
zlib/1.2.11 libssh2/1.9.0 nghttp2/1.44.0
| Release-Date: 2021-09-22
| Protocols: dict file ftp ftps gopher gophers http https imap imaps
pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
| Features: alt-svc AsynchDNS GSS-API HSTS HTTP2 HTTPS-proxy IPv6
Kerberos Largefile libz NTLM NTLM_WB SPNEGO SSL TLS-SRP UnixSockets
| $
By default, curl fails to connect.
| $ curl -vk https://192.168.0.108/eSCL/ScannerCapabilities
| * Trying 192.168.0.108:443...
| * Connected to 192.168.0.108 (192.168.0.108) port 443 (#0)
| * ALPN, offering h2
| * ALPN, offering http/1.1
| * successfully set certificate verify locations:
| * CAfile: /usr/local/share/certs/ca-root-nss.crt
| * CApath: none
| * TLSv1.3 (OUT), TLS handshake, Client hello (1):
| * TLSv1.3 (IN), TLS alert, handshake failure (552):
| * error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake
failure
| * Closing connection 0
| curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert
handshake failure
But with "--tls-max 1.0" or "--tls-max 1.1", curl can connect to XK90.
With "--tls-max 1.2" and "--tls-max 1.3", curl returns the same error
described above.
| $ curl -vk --tls-max 1.1
https://192.168.0.108/eSCL/ScannerCapabilities
| * Trying 192.168.0.108:443...
| * Connected to 192.168.0.108 (192.168.0.108) port 443 (#0)
| * ALPN, offering h2
| * ALPN, offering http/1.1
| * successfully set certificate verify locations:
| * CAfile: /usr/local/share/certs/ca-root-nss.crt
| * CApath: none
| * TLSv1.1 (OUT), TLS handshake, Client hello (1):
| * TLSv1.1 (IN), TLS handshake, Server hello (2):
| * TLSv1.1 (IN), TLS handshake, Certificate (11):
| * TLSv1.1 (IN), TLS handshake, Server finished (14):
| * TLSv1.1 (OUT), TLS handshake, Client key exchange (16):
| * TLSv1.1 (OUT), TLS change cipher, Change cipher spec (1):
| * TLSv1.1 (OUT), TLS handshake, Finished (20):
| * TLSv1.1 (IN), TLS handshake, Finished (20):
| * SSL connection using TLSv1.1 / AES256-SHA
| * ALPN, server did not agree to a protocol
| * Server certificate:
| * subject: CN=192.168.0.108
| * start date: Jan 1 00:00:00 2019 GMT
| * expire date: Dec 31 23:59:59 2038 GMT
| * issuer: CN=CanonIJProductF8A26DA2A5240001
| * SSL certificate verify result: unable to get local issuer
certificate (20), continuing anyway.
| > GET /eSCL/ScannerCapabilities HTTP/1.1
| > Host: 192.168.0.108
| > User-Agent: curl/7.79.1
| > Accept: */*
| >
| * Mark bundle as not supporting multiuse
| < HTTP/1.1 200 OK
| < MIME-Version: 1.0
| < Transfer-Encoding: chunked
| < Content-Type: text/xml
| < Connection: close
(snip)
| * TLSv1.1 (IN), TLS alert, close notify (256):
| * TLSv1.1 (OUT), TLS alert, close notify (256):
| $
FYI, Firefox (91.3.0esr and 95.0) can connect to XK90 with TLS1.2.
Thierry
-- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.htmlReceived on 2021-12-12