#677 Ebay deactivated SSLv3

[Markus Malkusch]

Ebay recently deactivated SSLv3 (probably because of POODLE):

openssl s_client -host signin.ebay.com -port 443 -ssl3
CONNECTED(00000003)
write:errno=104

Fortunatly TLSv1 is working:

openssl s_client -host signin.ebay.com -port 443
…
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-MD5

Let's go back (see attachment) to CURL's default behaviour:

The default action. This will attempt to figure out the remote SSL protocol version, i.e. either SSLv3 or TLSv1

These observations were made with a recent openssl-1.0.1j. When I compiled CURL against GnuTLS it didn't work at all.

[Frank Löffler]

I noticed the same problem, and did essentially the same as the patch (using the existing #if). I ran into the same problem. Using the debug mode I found that eBay was redirecting the login request not to the usual page, but their user agreement page. Using a regular browser, I logged out (of eBay), and in again - and also their this redirection happened: I simply had to agree to the changes they made to their user agreements. After this esniper could login as usual again.

While this didn't solve the problem with SSLv3, it shows that the proposed patch (not forcing SSLv3) seems to work - using gnutls.

Some details about my setup:

esniper version 2.31.0 (CVS)
libcurl/7.26.0 GnuTLS/2.12.20 zlib/1.2.7 libidn/1.25 libssh2/1.4.2 librtmp/2.3

[Bodo]

I deactivated the call in http.c by changing the line #if 1 to #if 0. This change is in CVS now. I guess I have to create a new release soon.

[Markus Malkusch]

I guess I have to create a new release soon.

Not necessarily. As far as I can see esniper-2-31-0 doesn't include those lines. They came from #670. So this is a CVS only issue.

[Aron Quells]

I encountered the same error message (Cannot connect to URL https://signin.ebay.de/ws/eBayISAPI.dll?SignIn: SSL connect error: gnutls_handshake() failed: Illegal parameter), downloaded, compiled and installed version 2.31.0, but I still get the error!
In some cases the login works however, after repeated attemps, but some auctions failed now :-( I think the problem is not solved yet.

[Markus Malkusch]

Well I'd say this issue here (no more SSLv3 at ebay) is solved, which brings back a few of those who compiled curl against GnuTLS to #670.

Issue #670 will need a different solution than restricting to SSLv3.

[Helmut Heller]

I got the latest CVS version (also tried 2.31.0) but I still get errors:

Auction 151462494807: Cannot connect to URL https://signin.ebay.com/ws/eBayISAPI.dll?SignIn: SSL connect error: gnutls_handshake() failed: Illegal parameter
Retrying...

this repeats and then esniper aborts.

I have this curl:

curl --version
curl 7.35.0 (i686-pc-linux-gnu) libcurl/7.35.0 OpenSSL/1.0.1f zlib/1.2.8 libidn/1.28 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP

[Markus Malkusch]

SSL connect error: gnutls_handshake()

This sounds so much like you are using GnuTLS. See #670. I guess if you check with ldd the linked libraries you will find a GnuTLS.