cURL cURL > Mailing List > Monthly Index > Single Mail

curl-tracker Archives

[curl:bugs] #1430 "Unknown SSL protocol error" - regression in curl 7.35 and later

From: Daniel Stenberg <bagder_at_users.sf.net>
Date: Sat, 04 Oct 2014 12:51:13 +0000

- **status**: open --> pending
- **assigned_to**: Daniel Stenberg
- **Comment**:

Nowaker: your handshake fails simply because the site insits on using an RC4 cipher and we disable such ciphers by default now.

See https://github.com/bagder/curl/blob/master/docs/SSL-PROBLEMS for more details on that.

You work around this problem, provide a list to --cipher that includes RC4. Just using "--ciphers ALL" makes the handshake succeed but is probably overly permisssive.

---
** [bugs:#1430] "Unknown SSL protocol error" - regression in curl 7.35 and later**
**Status:** pending
**Labels:** SSL/TLS 
**Created:** Fri Oct 03, 2014 09:37 PM UTC by Nowaker
**Last Updated:** Sat Oct 04, 2014 01:03 AM UTC
**Owner:** Daniel Stenberg
https://jira.atlashost.eu/ doesn't work with curl, but works in any browser, or with `wget`.
```
root_at_nwkr-desktop ~ # curl --version
curl 7.38.0 (x86_64-unknown-linux-gnu) libcurl/7.38.0 OpenSSL/1.0.1i zlib/1.2.8 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp 
Features: AsynchDNS IPv6 Largefile GSS-API SPNEGO NTLM NTLM_WB SSL libz TLS-SRP 
root@nwkr-desktop ~ # curl https://jira.atlashost.eu/
curl: (35) Unknown SSL protocol error in connection to jira.atlashost.eu:443
```
Last version that works:
```
root_at_nwkr-desktop ~ # curl --version 
curl 7.34.0 (x86_64-unknown-linux-gnu) libcurl/7.34.0 OpenSSL/1.0.1i zlib/1.2.8 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp 
Features: AsynchDNS GSS-Negotiate IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP 
root@nwkr-desktop ~ # curl -I https://jira.atlashost.eu/ 2>/dev/null | head -n 1
HTTP/1.1 500 Internal Server Error
```
OpenSSL string with ciphers: 
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!MD5:!SSLv2:!aNULL:!eNULL:!LOW:!3DES:!EXP:!PSK:!SRP:!DSS
In nodejs 0.10 this string results in only TLS_RSA_WITH_RC4_128_SHA being available. I force-disabled weaker ciphers, so it's not possible to use them at all (e.g. TLS_RSA_WITH_DES_CBC_SHA). My guess is curl has those weak ciphers on its accept list but apparently doesn't have the TLS_RSA_WITH_RC4_128_SHA. This cipher is OK (but not perfect) and if it's the only supported cipher by the server, curl should stick to it.
Consult SSL Labs: https://www.ssllabs.com/ssltest/analyze.html?d=jira.atlashost.eu
Let me know how I can help you.
---
Sent from sourceforge.net because curl-tracker@cool.haxx.se is subscribed to https://sourceforge.net/p/curl/bugs/
To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/curl/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.
Received on 2014-10-04

These mail archives are generated by hypermail.