cURL cURL > Mailing List > Monthly Index > Single Mail

curl-tracker Archives

[curl:bugs] #1319 Bug: "Unsupported SSL protocol version" Error

From: Jay Satiro <raysatiro_at_users.sf.net>
Date: Mon, 02 Feb 2015 22:23:51 +0000

I can confirm what Andre reported in Ubuntu 14 x64 with OpenSSL 1.0.1f. I did a bisect and it traces back to https://github.com/bagder/curl/commit/ad34a2d I think because that's where the TLS protocol maximum version becomes TLSv1.2.

The server identifies as Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8x. AFAIK 0.9.8 cannot use TLSv1.1 or TLSv1.2. The server does accept TLSv1.0. I don't know why it hangs on a maximum value of TLSv1.2, hopefully someone can fill us in on this.

OpenSSL s_client hangs as well, tested Windows 7 x64/OpenSSL 1.0.1j and Ubuntu 14 x64/OpenSSL 1.0.1f:

openssl s_client -connect qasecommerce.cielo.com.br:443
Loading 'screen' into random state - done
CONNECTED(0000019C)
write:errno=10054

-debug shows no server hello received in response to the client hello. Adding -bugs fixes it though...

I checked curl tool built from ad34a2d with every protocol version for that server, here are the results.

curl 7.33.1-DEV (x86_64-unknown-linux-gnu) libcurl/7.33.1-DEV OpenSSL/1.0.1f zlib/1.2.8

src/curl https://qasecommerce.cielo.com.br/servicos/ecommwsec.do -v

--sslv3 shows 'wrong version number':

* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS alert, Server hello (2):
* error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
* Closing connection 0
curl: (35) error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

--tlsv1.0 ok:

* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES256-SHA

--tlsv1.1 shows 'Unsupported protocol':

* SSLv3, TLS handshake, Client hello (1):
* error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol
* Closing connection 0
curl: (35) error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol

--tlsv1 and --tlsv1.2 there's a hang after client hello, then shows 'Unknown SSL protocol':

* SSLv3, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to qasecommerce.cielo.com.br:443
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to qasecommerce.cielo.com.br:443

Andre please try --tlsv1.0

---
** [bugs:#1319] Bug: "Unsupported SSL protocol version" Error**
**Status:** closed-fixed
**Created:** Thu Jan 02, 2014 07:44 PM UTC by Mohammad Hossekh Sekhavat
**Last Updated:** Mon Feb 02, 2015 01:50 PM UTC
**Owner:** Daniel Stenberg
Since I have upgraded from version 7.33 to 7.34, I am getting "Unsupported SSL protocol version" error with SSLv3. 
In order to reproduce the problem, run the command:
curl -v -3 -g 'https://aur.archlinux.org/'
Following output error will be showin in my machine:
* Hostname was NOT found in DNS cache
* Adding handle: conn: 0x237e040
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x237e040) send_pipe: 1, recv_pipe: 0
*   Trying 78.46.78.247...
*   Trying 2a01:4f8:120:34c2::2...
* Immediate connect fail for 2a01:4f8:120:34c2::2: Network is unreachable
* Connected to aur.archlinux.org (78.46.78.247) port 443 (#0)
* Unsupported SSL protocol version
* Closing connection 0
curl: (35) Unsupported SSL protocol version
My System Info:
$curl -V
curl 7.34.0 (x86_64-unknown-linux-gnu) libcurl/7.34.0 OpenSSL/1.0.1e zlib/1.2.8 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp 
Features: AsynchDNS IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP
$uname -a 
Linux mohammad-tp 3.12.6-1-ARCH #1 SMP PREEMPT Fri Dec 20 19:39:00 CET 2013 x86_64 GNU/Linux
---
Sent from sourceforge.net because curl-tracker@cool.haxx.se is subscribed to https://sourceforge.net/p/curl/bugs/
To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/curl/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.
Received on 2015-02-02

These mail archives are generated by hypermail.