cURL cURL > Mailing List > Monthly Index > Single Mail

curl-tracker Archives

[curl:bugs] #1430 "Unknown SSL protocol error" - regression in curl 7.35 and later

From: Daniel Stenberg <bagder_at_users.sf.net>
Date: Sat, 25 Oct 2014 19:53:27 +0000

- **status**: pending --> closed-invalid
- **Comment**:

No further response, closing.

---
** [bugs:#1430] "Unknown SSL protocol error" - regression in curl 7.35 and later**
**Status:** closed-invalid
**Labels:** SSL/TLS 
**Created:** Fri Oct 03, 2014 09:37 PM UTC by Nowaker
**Last Updated:** Mon Oct 06, 2014 12:54 PM UTC
**Owner:** Daniel Stenberg
https://jira.atlashost.eu/ doesn't work with curl, but works in any browser, or with `wget`.
```
root_at_nwkr-desktop ~ # curl --version
curl 7.38.0 (x86_64-unknown-linux-gnu) libcurl/7.38.0 OpenSSL/1.0.1i zlib/1.2.8 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp 
Features: AsynchDNS IPv6 Largefile GSS-API SPNEGO NTLM NTLM_WB SSL libz TLS-SRP 
root@nwkr-desktop ~ # curl https://jira.atlashost.eu/
curl: (35) Unknown SSL protocol error in connection to jira.atlashost.eu:443
```
Last version that works:
```
root_at_nwkr-desktop ~ # curl --version 
curl 7.34.0 (x86_64-unknown-linux-gnu) libcurl/7.34.0 OpenSSL/1.0.1i zlib/1.2.8 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp 
Features: AsynchDNS GSS-Negotiate IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP 
root@nwkr-desktop ~ # curl -I https://jira.atlashost.eu/ 2>/dev/null | head -n 1
HTTP/1.1 500 Internal Server Error
```
OpenSSL string with ciphers: 
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!MD5:!SSLv2:!aNULL:!eNULL:!LOW:!3DES:!EXP:!PSK:!SRP:!DSS
In nodejs 0.10 this string results in only TLS_RSA_WITH_RC4_128_SHA being available. I force-disabled weaker ciphers, so it's not possible to use them at all (e.g. TLS_RSA_WITH_DES_CBC_SHA). My guess is curl has those weak ciphers on its accept list but apparently doesn't have the TLS_RSA_WITH_RC4_128_SHA. This cipher is OK (but not perfect) and if it's the only supported cipher by the server, curl should stick to it.
Consult SSL Labs: https://www.ssllabs.com/ssltest/analyze.html?d=jira.atlashost.eu
Let me know how I can help you.
---
Sent from sourceforge.net because curl-tracker@cool.haxx.se is subscribed to https://sourceforge.net/p/curl/bugs/
To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/curl/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.
Received on 2014-10-25

These mail archives are generated by hypermail.