Menu
▾
▴
1 Attachments
#1453 "Unknown SSL protocol error" with curl > 7.34
Hi!
I'm having problems with curl version greater that 7.34
It looks like curl > 7.34 has a problem with the server response.
RC4-SHA was the protocol selected by the server if i do not provide any cipher on the command-line
with curl 7.34:
]# /usr/local/curl-7.34/bin/curl -v -v -v --cipher 'RC4-SHA' --insecure https://keyman.siemens.at/
- Hostname was NOT found in DNS cache
- Trying 158.226.250.57...
- Adding handle: conn: 0x24f4ec0
- Adding handle: send: 0
- Adding handle: recv: 0
- Curl_addHandleToPipeline: length: 1
-
- Conn 0 (0x24f4ec0) send_pipe: 1, recv_pipe: 0
- Connected to keyman.siemens.at (158.226.250.57) port 443 (#0)
- successfully set certificate verify locations:
- CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none - SSLv3, TLS handshake, Client hello (1):
- SSLv3, TLS handshake, Server hello (2):
- SSLv3, TLS handshake, CERT (11):
- SSLv3, TLS handshake, Server finished (14):
- SSLv3, TLS handshake, Client key exchange (16):
- SSLv3, TLS change cipher, Client hello (1):
- SSLv3, TLS handshake, Finished (20):
- SSLv3, TLS change cipher, Client hello (1):
- SSLv3, TLS handshake, Finished (20):
- SSL connection using RC4-SHA
- Server certificate:
- subject: OU=GMS GO GD AHS DBA; O=Siemens; C=AT; CN=keyman.siemens.at
- start date: 2014-06-26 08:30:17 GMT
- expire date: 2015-06-26 08:30:17 GMT
- issuer: C=DE; O=Siemens; serialNumber=ZZZZZZY7; OU=Copyright (C) Siemens AG 2013 All Rights Reserved; OU=Issuing CA for Siemens non-personalized SSL/TLS-based End Entities; CN=Siemens Issuing CA Intranet Server 2013
- SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
GET / HTTP/1.1
with curl 7.39:
/usr/local/curl-7.39/bin/curl -v -v -v --cipher 'RC4-SHA' --tlsv1 --insecure https://keyman.siemens.at/
- Hostname was NOT found in DNS cache
- Trying 158.226.250.57...
- Connected to keyman.siemens.at (158.226.250.57) port 443 (#0)
- successfully set certificate verify locations:
- CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none - SSLv3, TLS handshake, Client hello (1):
- error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol
- Closing connection 0
curl: (35) error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol
If i use curl 7.39 without any ciphers, then i get this:
/usr/local/curl-7.39/bin/curl -v -v -v --tlsv1 --insecure https://keyman.siemens.at/
- Hostname was NOT found in DNS cache
- Trying 158.226.250.57...
- Connected to keyman.siemens.at (158.226.250.57) port 443 (#0)
- successfully set certificate verify locations:
- CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none - SSLv3, TLS handshake, Client hello (1):
- Unknown SSL protocol error in connection to keyman.siemens.at:443
- Closing connection 0
curl: (35) Unknown SSL protocol error in connection to keyman.siemens.at:443
I have also done a tcpdump for both requests and attaching it to that message. In both cases the server sends back a server hello done, but curl 7.39 seems not to be able to interpret that server response.
Server software is Windows IIS version 6.0
Related
Discussion
Hi!
Sorry for the maybe stupid question but is there another way of enabling RC4 than by adding '--cipher 'RC4-SHA' to the curl command?
If not, then i already tested it with curl 7.39 and it did not work, as you see below.
Greetings
Andreas
From: Daniel Stenberg [mailto:bagder@users.sf.net]
Sent: Tuesday, November 25, 2014 9:30 AM
To: [curl:bugs]
Subject: [curl:bugs] #1453 "Unknown SSL protocol error" with curl > 7.34
This most likely happens because curl disables RC4 by default since it is considered an insecure algorithm. If you want an insecure algorithm in you TLS handshake you must manually enable it with the --ciphers option.
[bugs:#1453]http://sourceforge.net/p/curl/bugs/1453 "Unknown SSL protocol error" with curl > 7.34
Status: pending
Created: Wed Nov 19, 2014 05:47 PM UTC by Andreas Lamprecht
Last Updated: Wed Nov 19, 2014 05:47 PM UTC
Owner: Daniel Stenberg
Hi!
I'm having problems with curl version greater that 7.34
It looks like curl > 7.34 has a problem with the server response.
RC4-SHA was the protocol selected by the server if i do not provide any cipher on the command-line
with curl 7.34:
]# /usr/local/curl-7.34/bin/curl -v -v -v --cipher 'RC4-SHA' --insecure https://keyman.siemens.at/https://keyman.siemens.at
Hostname was NOT found in DNS cache
Trying 158.226.250.57...
Adding handle: conn: 0x24f4ec0
Adding handle: send: 0
Adding handle: recv: 0
Curl_addHandleToPipeline: length: 1
Connected to keyman.siemens.at (158.226.250.57) port 443 (#0)
successfully set certificate verify locations:
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
SSLv3, TLS handshake, Client hello (1):
SSLv3, TLS handshake, Server hello (2):
SSLv3, TLS handshake, CERT (11):
SSLv3, TLS handshake, Server finished (14):
SSLv3, TLS handshake, Client key exchange (16):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSL connection using RC4-SHA
Server certificate:
subject: OU=GMS GO GD AHS DBA; O=Siemens; C=AT; CN=keyman.siemens.at
start date: 2014-06-26 08:30:17 GMT
expire date: 2015-06-26 08:30:17 GMT
issuer: C=DE; O=Siemens; serialNumber=ZZZZZZY7; OU=Copyright (C) Siemens AG 2013 All Rights Reserved; OU=Issuing CA for Siemens non-personalized SSL/TLS-based End Entities; CN=Siemens Issuing CA Intranet Server 2013
SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
GET / HTTP/1.1
with curl 7.39:
/usr/local/curl-7.39/bin/curl -v -v -v --cipher 'RC4-SHA' --tlsv1 --insecure https://keyman.siemens.at/https://keyman.siemens.at
CApath: none
curl: (35) error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol
If i use curl 7.39 without any ciphers, then i get this:
/usr/local/curl-7.39/bin/curl -v -v -v --tlsv1 --insecure https://keyman.siemens.at/https://keyman.siemens.at
CApath: none
curl: (35) Unknown SSL protocol error in connection to keyman.siemens.at:443
I have also done a tcpdump for both requests and attaching it to that message. In both cases the server sends back a server hello done, but curl 7.39 seems not to be able to interpret that server response.
Server software is Windows IIS version 6.0
Sent from sourceforge.net because you indicated interest in https://sourceforge.net/p/curl/bugs/1453/https://sourceforge.net/p/curl/bugs/1453
To unsubscribe from further messages, please visit https://sourceforge.net/auth/subscriptions/https://sourceforge.net/auth/subscriptions
Company: Atos IT Solutions and Services GmbH
Legal form: Gesellschaft mit beschränkter Haftung
Company seat: Vienna
Commercial registry file nr.: FN 357865y
Commercial Court: Handelsgericht Wien
DVR: 4003754
ATU UID: 66190855
ARA Nr: 17961
Important Note: This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Atos group liability cannot be triggered for the message content. Although the sender endeavors to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
Related
Bugs:
#1453This most likely happens because curl disables RC4 by default since it is considered an insecure algorithm. If you want an insecure algorithm in you TLS handshake you must manually enable it with the --ciphers option.