curl is at curl.se / Bugs / #1076 SSL23_GET_SERVER_HELLO when connecting to OpenSSL 1.0.0

#1076 SSL23_GET_SERVER_HELLO when connecting to OpenSSL 1.0.0

Status: closed-duplicate

Owner: Daniel Stenberg

Labels: https (67)

Priority: 5

Updated: 2013-06-21

Created: 2012-01-04

Creator: Anonymous

Private: No

Appologies for opening a new bug, but I couldn't find a way of editing the existing bug report for this, which is https://sourceforge.net/tracker/index.php?func=detail&aid=3165773&group_id=976&atid=100976

I have worked around this by upgrading the OpenSSL client to 1.0.0 (and recompiling curl to pick up the new version of OpenSSL) and would recommend other people do the same, but I'm recording as much information as I've gathered here in the hope that it will help anyone with similar problems in the future, or who is unable to upgrade the client.

I have been able to reproduce this bug, connecting from an OpenSSL/0.9.8o client to an OpenSSL/1.0.0d server.

Run on client:
curl --version
curl 7.18.2 (x86_64-pc-linux-gnu) libcurl/7.18.2 OpenSSL/0.9.8o zlib/1.2.3
Protocols: tftp ftp telnet dict http file https ftps
Features: Largefile NTLM SSL libz

curl -k https://www.example.com/ --trace -
== Info: About to connect() to www.example.com port 443 (#0)
== Info: Trying 10.20.30.40... == Info: connected
== Info: Connected to www.example.com (10.20.30.40) port 443 (#0)
== Info: successfully set certificate verify locations:
== Info: CAfile: none
CApath: /etc/ssl/certs
== Info: SSLv3, TLS handshake, Client hello (1):
=> Send SSL data, 141 bytes (0x8d)
(removed)
== Info: error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112)
== Info: Closing connection #0
curl: (35) error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112)

I am also able to reproduce it on clients running 0.9.8j, 0.9.8k and 0.9.8n but not 0.9.8g
The problem does NOT occur if you pass curl the -sslv3 parameter, it only seems to apply to TLS v1

Therefore it looks like the problem was introduced with OpenSSL 0.9.8h, i or j.

Looking at the changelog for these versions, I think the most likely cause is a change introduced in OpenSSL 0.9.8j to "Enable TLS extensions by default". Interestingly their is an item in the 1.0.0 changelog that says "Add initial support for TLS extensions", which might explain why 1.0 versions work as a client.

Discussion

Daniel Stenberg - 2012-01-18

status: open --> closed-duplicate
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Daniel Stenberg - 2012-01-18

This is a duplicate of bug #3395520. Closing.

http://curl.haxx.se/bug/view.cgi?id=3395520

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

SSL23_GET_SERVER_HELLO when connecting to OpenSSL 1.0.0

curl is at curl.haxx.se

Searches

Help

#1076 SSL23_GET_SERVER_HELLO when connecting to OpenSSL 1.0.0

Discussion