Menu
▾
▴
#1329 curl: (35) Unknown SSL protocol error on libcurl/7.35.0
$ curl https://www.lynda.com/ -v
Hostname was NOT found in DNS cache
Trying 69.20.127.243...
Connected to www.lynda.com (69.20.127.243) port 443 (#0)
successfully set certificate verify locations:
CAfile: none
CApath: /etc/ssl/certs SSLv3, TLS handshake, Client hello (1):
Unknown SSL protocol error in connection to www.lynda.com:443
Closing connection 0
curl: (35) Unknown SSL protocol error in connection to www.lynda.com:443
$ curl -V
curl 7.27.0 (x86_64-unknown-linux-gnu) libcurl/7.35.0 OpenSSL/1.0.1f zlib/1.2.8 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtmp rtsp smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP
Related
Discussion
Same goes for php
$ cat test.php
'./configure' '--prefix=/usr' '--build=x86_64-pc-linux-gnu' '--host=x86_64-pc-linux-gnu' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc' '--localstatedir=/var/lib' '--prefix=/usr/lib64/php5.5' '--mandir=/usr/lib64/php5.5/man' '--infodir=/usr/lib64/php5.5/info' '--libdir=/usr/lib64/php5.5/lib' '--with-libdir=lib64' '--without-pear' '--enable-maintainer-zts' '--enable-bcmath' '--with-bz2=/usr' '--disable-calendar' '--enable-ctype' '--with-curl=/usr' '--enable-dom' '--without-enchant' '--disable-exif' '--enable-fileinfo' '--enable-filter' '--disable-ftp' '--with-gettext=/usr' '--without-gmp' '--enable-hash' '--without-mhash' '--with-iconv' '--disable-intl' '--enable-ipv6' '--enable-json' '--without-kerberos' '--enable-libxml' '--with-libxml-dir=/usr' '--enable-mbstring' '--with-mcrypt=/usr' '--without-mssql' '--with-onig=/usr' '--with-openssl=/usr' '--with-openssl-dir=/usr' '--disable-pcntl' '--enable-phar' '--enable-pdo' '--enable-opcache' '--without-pgsql' '--enable-posix' '--without-pspell' '--without-recode' '--enable-simplexml' '--disable-shmop' '--without-snmp' '--disable-soap' '--enable-sockets' '--with-sqlite3=/usr' '--without-sybase-ct' '--disable-sysvmsg' '--disable-sysvsem' '--disable-sysvshm' '--without-tidy' '--enable-tokenizer' '--disable-wddx' '--enable-xml' '--enable-xmlreader' '--disable-xmlwriter' '--without-xmlrpc' '--without-xsl' '--disable-zip' '--with-zlib=/usr' '--disable-debug' '--enable-dba' '--without-cdb' '--with-db4=/usr' '--disable-flatfile' '--with-gdbm=/usr' '--disable-inifile' '--without-qdbm' '--without-freetype-dir' '--without-t1lib' '--disable-gd-jis-conv' '--with-jpeg-dir=/usr' '--with-png-dir=/usr' '--without-xpm-dir' '--with-gd' '--with-imap=/usr' '--with-imap-ssl=/usr' '--with-ldap=/usr' '--without-ldap-sasl' '--with-mysql=mysqlnd' '--with-mysqli=mysqlnd' '--with-mysql-sock=/var/run/mysqld/mysqld.sock' '--without-pdo-dblib' '--with-pdo-mysql=mysqlnd' '--without-pdo-pgsql' '--with-pdo-sqlite=/usr' '--without-pdo-odbc' '--with-readline=/usr' '--without-libedit' '--without-mm' '--with-pic' '--with-pcre-regex=/usr' '--with-pcre-dir=/usr' '--with-config-file-path=/etc/php/cli-php5.5' '--with-config-file-scan-dir=/etc/php/cli-php5.5/ext-active' '--disable-embed' '--enable-cli' '--disable-cgi' '--disable-fpm' '--without-apxs2' curl cURL support => enabled cURL Information => 7.35.0 ?>Happens to me too...
Acording to irc user falconindy .. it seems to be something specific to IIS 7.5 ?
Another one with another weird problem that worked in .33 is this one:
https://secure.cbtnuggets.com/it-training-videos/course/mpls_fundamentals
Found it.
The original problem with lynda.com:
A - it doesn't like TLSv1 negotiations so you have to enforce SSLv3 with -3 and
B - it insists on an insecure cipher algorithm which curl disables these days so you have to override that. Appending "--ciphers ALL" makes it work.
The second case, cbtnuggets.com only suffers from case B, insisting on insecure ciphers.
I'm not convinced this is a bug in curl. These sites use insecure ciphers and curl is now actively helping out by not playing along without us noticing.
Yup, that was it .. So, is there any easy way to find out what a site doesn't like ? I didn't notice any other sites with problems .. but .. who knows ..
I recently encounted this for googlevideo...
[xbmc@mediacenter ~]$ curl -v 'https://r6---sn-i3co-i3be.googlevideo.com/videoplayback?sv
er=3&requiressl=yes&signature=069B9F2A1C2A2119B6C3038F37BCE01AF94763F5.80B5E792FA5E0FE645
D11FAAA302842CEA047C95&itag=22&id=775731e720ecb437&upn=SgvYepNqdzc&sparams=id,ip,ipbits,i
tag,ratebypass,requiressl,source,upn,expire&mt=1393649509&mv=m&ms=au&expire=1393670156&so
urce=youtube&ratebypass=yes&ipbits=0&fexp=935610,901803,916807,916611,929305,934227,93741
7,937416,913434,936910,936913,902907&key=yt5&ip=59.148.74.80|User-Agent=Mozilla%2F5.0+%28
Windows+NT+6.2%3B+Win64%3B+x64%3B+rv%3A16.0.1%29+Gecko%2F20121011+Firefox%2F16.0.1'
CApath: none
curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
@Eric Liu: Did you try the "--ciphers ALL" and/or "--sslv3" tricks to see if they make the command line work?
I think I'll need to produce a separate "debugging SSL problems" document for things like this...
At some odd occasions with bad servers, you also need --ssl-allow-beast.
it works with --ciphers ALL
However, I am trying to watch youtube on XBMC. so I cannot force it to read .curlrc .
Known curl+ŚSL problems and ways to work around them are now being documented in this document:
https://github.com/bagder/curl/blob/master/docs/SSL-PROBLEMS