I’ve used curl as a debugging tool for a long time. But time moves on and my testing system didn’t. So now for the first time I saw an error that is produced by this situation, and I will explain it.
$ curl ‐i ‐k https://julialang.org/
curl: (35) error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
$ curl ‐help
... -2/--sslv2 Use SSLv2 (SSL) -3/--sslv3 Use SSLv3 (SSL) ... -1/--tlsv1 Use TLSv1 (SSL) ...
Compare this to a server which I’ve kept up-to-date with openssl and curl:
... -2/--sslv2 Use SSLv2 (SSL) -3/--sslv3 Use SSLv3 (SSL) ... -1/--tlsv1 Use => TLSv1 (SSL) --tlsv1.0 Use TLSv1.0 (SSL) --tlsv1.1 Use TLSv1.1 (SSL) --tlsv1.2 Use TLSv1.2 (SSL) ...
On this server I can fetch the home page with curl.
So it appears the older system does not have a compatible version of TLS. To confirm this use SSLLABS. We see this:
Sure enough, only TLS 1.2 is supported by the server, and my poor old curl doesn’t have that! Too bad for me, but it shows it’s time to upgrade.
Another problem site
askapache.com is another vexing site. On a curl version which supposedly supports tls 1.2 I get this error:
$ curl ‐‐tlsv1.2 ‐‐verbose ‐k https://askapache.com/
* About to connect() to askapache.com port 443 (#0) * Trying 18.104.22.168... connected * Connected to askapache.com (22.214.171.124) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * warning: ignoring value of ssl.verifyhost * NSS error -12286 * Closing connection #0 * SSL connect error curl: (35) SSL connect error
This is with curl version 7.19.7 on my CentOS 6.8 system.
This same site works fine on my compiled version of curl with the latest openssl, version 7.55.1. I guess the system-supplied curl is missing support for some cipher suites?
A TLS version error is explained, as well as the way it came about.
References and related
I eventually came up with the solution: compile my own updated version of curl! I describe how I did it in this blog post.