Running curl with OpenSSL 0.9.8 against OpenSSL 1.0.0 server causes handshake error?

StackOverflow https://stackoverflow.com/questions/8916296

  •  17-04-2021
  •  | 
  •  

Вопрос

If I run curl against a machine that is running OpenSSL 1.0.0e for example:

curl -v https://shumaker.flexrentalsolutions.com

on a machine that is running OpenSSL 0.9.8r I get the following error:

About to connect() to shumaker.flexrentalsolutions.com port 443 (#0)
*   Trying 50.112.122.15... connected
* Connected to shumaker.flexrentalsolutions.com (50.112.122.15) port 443 (#0)
* SSLv3, TLS handshake, Client hello (1):
* error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112)
* Closing connection #0

If I run the same curl command on a machine that is running OpenSSL 1.0.0e the command completes without any problem.

It appears the handshake is not completing properly, apparently due to some incompatibility between the two OpenSSL versions.

Any idea how to fix this?

Это было полезно?

Решение

This is an (OpenSSL) bug that's still open. Details have been posted in this curl bug report.

Further details was posted to OpenSSL-dev by "mancha".

Другие советы

If you set the openssl version in the protocol, it works:

For the command line:

curl -v -3 https://shumaker.flexrentalsolutions.com

If in php:

curl_setopt($ch, CURLOPT_SSLVERSION,3);

Now due to the POODLE vulnerability many sites are now disabling SSL 3.0

You should use TLS like this :

curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1)

If you still have error (for Apache) check if your vhost get the correct setting ServerName

This isn't a good solution, but it's better than wheel spinning, so I'm going to add it here as an answer:

Use the GnuTLS module instead of mod_ssl, if you can. It's not bound to OpenSSL, so this horrible, day-wasting problem is neatly sidestepped.

I have this issue on OS X using brew on some https servers, brew uses curl internally. Note this is only on OS X 10.7.5, which is stuck on OpenSSL/0.9.8r. I would upgrade but apple don't support > 10.7 on this iMac!

My fix was to upgrade curl with brew, which ups the version to 1.0.2f, luckily the brew install of curl doesn't 

brew install curl
Лицензировано под: CC-BY-SA с атрибуция
Не связан с StackOverflow
scroll top