Login/Register
Running curl with OpenSSL 0.9.8 against OpenSSL 1.0.0 server causes handshake error?
Asked Answered
Solved curlopensslhandshake
L

5

10

If I run curl against a machine that is running OpenSSL 1.0.0e for example:

curl -v https://shumaker.flexrentalsolutions.com

on a machine that is running OpenSSL 0.9.8r I get the following error:

About to connect() to shumaker.flexrentalsolutions.com port 443 (#0)
*   Trying 50.112.122.15... connected
* Connected to shumaker.flexrentalsolutions.com (50.112.122.15) port 443 (#0)
* SSLv3, TLS handshake, Client hello (1):
* error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112)
* Closing connection #0

If I run the same curl command on a machine that is running OpenSSL 1.0.0e the command completes without any problem.

It appears the handshake is not completing properly, apparently due to some incompatibility between the two OpenSSL versions.

Any idea how to fix this?

Laurentia answered 23/12, 2011 at 18:59 Comment(0)
S
6

This is an (OpenSSL) bug that's still open. Details have been posted in this curl bug report.

Further details was posted to OpenSSL-dev by "mancha".

Smallman answered 23/12, 2011 at 22:41 Comment(1)
I was able to get Apache to use OpenSSL 0.9.8 by using a mod_ssl module build that pointed to OpenSSL 0.9.8. Making that change took care of the problem. Any idea when the OpenSSL 1.0.0 bug will be fixed?Laurentia
S
13

If you set the openssl version in the protocol, it works:

For the command line:

curl -v -3 https://shumaker.flexrentalsolutions.com

If in php:

curl_setopt($ch, CURLOPT_SSLVERSION,3);
Solidstate answered 21/6, 2013 at 12:27 Comment(1)
I had this openssl bug error mentioned by the OP. The solution by @Solidstate solved my problem. thank you!Centesimal
S
6

This is an (OpenSSL) bug that's still open. Details have been posted in this curl bug report.

Further details was posted to OpenSSL-dev by "mancha".

Smallman answered 23/12, 2011 at 22:41 Comment(1)
I was able to get Apache to use OpenSSL 0.9.8 by using a mod_ssl module build that pointed to OpenSSL 0.9.8. Making that change took care of the problem. Any idea when the OpenSSL 1.0.0 bug will be fixed?Laurentia
M
0

This isn't a good solution, but it's better than wheel spinning, so I'm going to add it here as an answer:

Use the GnuTLS module instead of mod_ssl, if you can. It's not bound to OpenSSL, so this horrible, day-wasting problem is neatly sidestepped.

Mauriac answered 18/1, 2012 at 19:40 Comment(0)
F
0

Now due to the POODLE vulnerability many sites are now disabling SSL 3.0

You should use TLS like this :

curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1)

If you still have error (for Apache) check if your vhost get the correct setting ServerName

Finbur answered 21/5, 2015 at 12:20 Comment(1)
POODLE did not exist in 2011. We knew the padding bug existed as early as 2005 or so, but most folks chose to ignore it. Browsers were part of the problem because they kept SSLv3 enabled for so long. See Loren Weith's Differences Between SSLv2, SSLv3, and TLS.Tim
T
0

I have this issue on OS X using brew on some https servers, brew uses curl internally. Note this is only on OS X 10.7.5, which is stuck on OpenSSL/0.9.8r. I would upgrade but apple don't support > 10.7 on this iMac!

My fix was to upgrade curl with brew, which ups the version to 1.0.2f, luckily the brew install of curl doesn't 

brew install curl
Thilda answered 2/2, 2016 at 7:34 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.