Hi!

Sorry for the maybe stupid question but is there another way of enabling RC4 than by adding '--cipher 'RC4-SHA' to the curl command?
If not, then i already tested it with curl 7.39 and it did not work, as you see below.

Greetings
Andreas

From: Daniel Stenberg [mailto:bagder_at_users.sf.net]
Sent: Tuesday, November 25, 2014 9:30 AM
To: [curl:bugs]
Subject: [curl:bugs] #1453 "Unknown SSL protocol error" with curl > 7.34


  * status: open --> pending
  * assigned_to: Daniel Stenberg
  * Comment:

This most likely happens because curl disables RC4 by default since it is considered an insecure algorithm. If you want an insecure algorithm in you TLS handshake you must manually enable it with the --ciphers option.

________________________________

[bugs:#1453]<http://sourceforge.net/p/curl/bugs/1453> "Unknown SSL protocol error" with curl > 7.34

Status: pending
Created: Wed Nov 19, 2014 05:47 PM UTC by Andreas Lamprecht
Last Updated: Wed Nov 19, 2014 05:47 PM UTC
Owner: Daniel Stenberg

Hi!

I'm having problems with curl version greater that 7.34
It looks like curl > 7.34 has a problem with the server response.

RC4-SHA was the protocol selected by the server if i do not provide any cipher on the command-line

with curl 7.34:
]# /usr/local/curl-7.34/bin/curl -v -v -v --cipher 'RC4-SHA' --insecure https://keyman.siemens.at/<https://keyman.siemens.at>
Hostname was NOT found in DNS cache
Trying 158.226.250.57...
Adding handle: conn: 0x24f4ec0
Adding handle: send: 0
Adding handle: recv: 0
Curl_addHandleToPipeline: length: 1
- Conn 0 (0x24f4ec0) send_pipe: 1, recv_pipe: 0
Connected to keyman.siemens.at (158.226.250.57) port 443 (#0)
successfully set certificate verify locations:
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
SSLv3, TLS handshake, Client hello (1):
SSLv3, TLS handshake, Server hello (2):
SSLv3, TLS handshake, CERT (11):
SSLv3, TLS handshake, Server finished (14):
SSLv3, TLS handshake, Client key exchange (16):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSL connection using RC4-SHA
Server certificate:
subject: OU=GMS GO GD AHS DBA; O=Siemens; C=AT; CN=keyman.siemens.at
start date: 2014-06-26 08:30:17 GMT
expire date: 2015-06-26 08:30:17 GMT
issuer: C=DE; O=Siemens; serialNumber=ZZZZZZY7; OU=Copyright (C) Siemens AG 2013 All Rights Reserved; OU=Issuing CA for Siemens non-personalized SSL/TLS-based End Entities; CN=Siemens Issuing CA Intranet Server 2013
SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.

GET / HTTP/1.1

with curl 7.39:

/usr/local/curl-7.39/bin/curl -v -v -v --cipher 'RC4-SHA' --tlsv1 --insecure https://keyman.siemens.at/<https://keyman.siemens.at>

  * Hostname was NOT found in DNS cache
  * Trying 158.226.250.57...
  * Connected to keyman.siemens.at (158.226.250.57) port 443 (#0)
  * successfully set certificate verify locations:
  * CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
  * SSLv3, TLS handshake, Client hello (1):
  * error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol
  * Closing connection 0
curl: (35) error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol

If i use curl 7.39 without any ciphers, then i get this:

/usr/local/curl-7.39/bin/curl -v -v -v --tlsv1 --insecure https://keyman.siemens.at/<https://keyman.siemens.at>

  * Hostname was NOT found in DNS cache
  * Trying 158.226.250.57...
  * Connected to keyman.siemens.at (158.226.250.57) port 443 (#0)
  * successfully set certificate verify locations:
  * CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
  * SSLv3, TLS handshake, Client hello (1):
  * Unknown SSL protocol error in connection to keyman.siemens.at:443
  * Closing connection 0
curl: (35) Unknown SSL protocol error in connection to keyman.siemens.at:443

I have also done a tcpdump for both requests and attaching it to that message. In both cases the server sends back a server hello done, but curl 7.39 seems not to be able to interpret that server response.
Server software is Windows IIS version 6.0

________________________________

Sent from sourceforge.net because you indicated interest in https://sourceforge.net/p/curl/bugs/1453/<https://sourceforge.net/p/curl/bugs/1453>

To unsubscribe from further messages, please visit https://sourceforge.net/auth/subscriptions/<https://sourceforge.net/auth/subscriptions>

Company: Atos IT Solutions and Services GmbH
Legal form: Gesellschaft mit beschränkter Haftung
Company seat: Vienna
Commercial registry file nr.: FN 357865y
Commercial Court: Handelsgericht Wien
DVR: 4003754
ATU UID: 66190855
ARA Nr: 17961

Important Note: This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Atos group liability cannot be triggered for the message content. Although the sender endeavors to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.

---
** [bugs:#1453] "Unknown SSL protocol error" with curl > 7.34**
**Status:** pending
**Created:** Wed Nov 19, 2014 05:47 PM UTC by Andreas Lamprecht
**Last Updated:** Tue Nov 25, 2014 08:30 AM UTC
**Owner:** Daniel Stenberg
Hi!

I'm having problems with curl version greater that 7.34
It looks like curl > 7.34 has a problem with the server response.

RC4-SHA was the protocol selected by the server if i do not provide any cipher on the command-line

with curl 7.34:
]# /usr/local/curl-7.34/bin/curl -v -v -v --cipher 'RC4-SHA'  --insecure https://keyman.siemens.at/

* Hostname was NOT found in DNS cache
*   Trying 158.226.250.57...
* Adding handle: conn: 0x24f4ec0
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x24f4ec0) send_pipe: 1, recv_pipe: 0
* Connected to keyman.siemens.at (158.226.250.57) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using RC4-SHA
* Server certificate:
*        subject: OU=GMS GO GD AHS DBA; O=Siemens; C=AT; CN=keyman.siemens.at
*        start date: 2014-06-26 08:30:17 GMT
*        expire date: 2015-06-26 08:30:17 GMT
*        issuer: C=DE; O=Siemens; serialNumber=ZZZZZZY7; OU=Copyright (C) Siemens AG 2013 All Rights Reserved; OU=Issuing CA for Siemens non-personalized SSL/TLS-based End Entities; CN=Siemens Issuing CA Intranet Server 2013
*        SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET / HTTP/1.1


with curl 7.39:

# /usr/local/curl-7.39/bin/curl -v -v -v --cipher 'RC4-SHA'  --tlsv1 --insecure https://keyman.siemens.at/

* Hostname was NOT found in DNS cache
*   Trying 158.226.250.57...
* Connected to keyman.siemens.at (158.226.250.57) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol
* Closing connection 0
curl: (35) error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol

If i use curl 7.39 without any ciphers, then i get this:
# /usr/local/curl-7.39/bin/curl -v -v -v  --tlsv1 --insecure https://keyman.siemens.at/

* Hostname was NOT found in DNS cache
*   Trying 158.226.250.57...
* Connected to keyman.siemens.at (158.226.250.57) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to keyman.siemens.at:443
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to keyman.siemens.at:443



I have also done a tcpdump for both requests and attaching it to that message. In both cases the server sends back a server hello done, but curl 7.39 seems not to be able to interpret that server response.
Server software is Windows IIS version 6.0

---
Sent from sourceforge.net because curl-tracker@cool.haxx.se is subscribed to http://sourceforge.net/p/curl/bugs/
To unsubscribe from further messages, a project admin can change settings at http://sourceforge.net/p/curl/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.