Menu

#1340 7.35.0 ssl request fails (handshake error) when no --cipher is provided

closed-duplicate
Daniel Stenberg
None
5
2014-08-19
2014-03-07
Linas
No

This happens at least with one url: https://rest.telesign.com

7.34.0 works ok
7.35.0 fails with handshake error
7.36.0-DEV same as 7.35.0 at the time of writing

openssl version: OpenSSL 1.0.1e-fips 11 Feb 2013
OS: CentOS 6.4; CentOS 6.5; Cloudlinux 6.5

Curl Versions:

[#] ./curl-7.34.0/src/curl -V
curl 7.34.0 (x86_64-unknown-linux-gnu) libcurl/7.34.0 OpenSSL/1.0.1e zlib/1.2.3
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smtp smtps telnet tftp
Features: IPv6 Largefile NTLM NTLM_WB SSL libz

[#] ./curl-7.35.0/src/curl -V
curl 7.35.0 (x86_64-unknown-linux-gnu) libcurl/7.35.0 OpenSSL/1.0.1e zlib/1.2.3
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smtp smtps telnet tftp
Features: IPv6 Largefile NTLM NTLM_WB SSL libz

7.34.0 request output:
[#] ./curl-7.34.0/src/curl -v 'https://rest.telesign.com'
[ ... ]

* Connected to rest.telesign.com (199.27.228.143) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using RC4-SHA
[ ... ]
* Closing connection 0
* SSLv3, TLS alert, Client hello (1):
{"errors": [{"code": -40004, "description": "Resource Not Found"}]}

7.35.0 request output:
[#] ./curl-7.35.0/src/curl -v 'https://rest.telesign.com'
[ ... ]

* Connected to rest.telesign.com (199.27.228.143) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS alert, Server hello (2):
* error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
* Closing connection 0
curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

7.35.0 request output (with --cipher):
[#] ./curl-7.35.0/src/curl -v 'https://rest.telesign.com' --cipher 'RC4-SHA'
[ ... ]

* Connected to rest.telesign.com (199.27.228.143) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using RC4-SHA
[ ... ]
* Closing connection 0
* SSLv3, TLS alert, Client hello (1):
{"errors": [{"code": -40004, "description": "Resource Not Found"}]}

Discussion

  • Daniel Stenberg

    Daniel Stenberg - 2014-03-09
    • status: open --> pending
    • assigned_to: Daniel Stenberg
     

  • Daniel Stenberg

    Daniel Stenberg - 2014-03-09

    This is probably not a bug. We explicitly disable RC4 from our list of support ciphers since it broken and considered insecure.

    We've started a document to collect reasons and explanations to common curl+SSL problems: https://github.com/bagder/curl/blob/master/docs/SSL-PROBLEMS

    My only concern is that RC4 is documented as a way to mitigiate BEAST with TLS 1.0...

     

  • Daniel Stenberg

    Daniel Stenberg - 2014-03-15
    • status: pending --> closed-duplicate
     

  • Daniel Stenberg

    Daniel Stenberg - 2014-03-15

    See bug [#1329]

     

    Related

    Bugs: #1329

MongoDB Logo MongoDB