SSL handshake failure with TLS 1.3
Asked Answered
K

1

8

curl fails with openssl version 1.1.1d butt works fine with OpenSSL/1.0.1t. I am trying to debug the reason and unable tto find one.

Please find below trace from curl logs.

Failure case (curl 7.64.0 (x86_64-pc-linux-gnu) libcurl/7.64.0 OpenSSL/1.1.1d)

  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS alert, handshake failure (552):
* error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
* Closing connection 0
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

Success case. Uninstalled curl and installed curl version curl 7.38.0 (x86_64-pc-linux-gnu) libcurl/7.38.0 OpenSSL/1.0.1t

* Connected to kafkaconnect-0.kc.default.svc.cluster.local (10.244.4.107) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / DHE-DSS-AES256-GCM-SHA384
* Server certificate:
*    subject: CN=*.kc.default.svc.cluster.local.keystore.jks
*    start date: 2021-04-16 17:01:03 GMT
*    expire date: 2023-04-16 17:01:03 GMT
*    issuer: CN=Red-Security-CA
*    SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
> GET /connectors HTTP/1.1
> User-Agent: curl/7.38.0


Observations.
1. With older version, it was using SSLv3 and with latest version it is TLSv1.3
Kamilahkamillah answered 16/4, 2021 at 17:44 Comment(0)
K
1

One potential cause is not having a compatible cipher enabled for OpenSSL. In the success case, it appears to work with the DHE-DSS-AES256-GCM-SHA384. You can test that specific cipher with the other version of curl by adding the --ciphers command line argument to curl.

E.g.

curl <yoursitehere> --ciphers DHE-DSS-AES256-GCM-SHA384

You can also see which ciphers are enabled for OpenSSL by looking in the /etc/ssl/openssl.cnf file CipherString. Note that some are less/not secure thus they may have been removed.

Keynesianism answered 27/12, 2021 at 5:0 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.