I’ve used curl as a debugging tool for a long time. But time moves on and my testing system didn’t. So now for the first time I saw an error that is produced by this situation, and I will explain it.
$ curl ‐i ‐k https://julialang.org/
curl: (35) error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
$ curl ‐help
... -2/--sslv2 Use SSLv2 (SSL) -3/--sslv3 Use SSLv3 (SSL) ... -1/--tlsv1 Use TLSv1 (SSL) ...
Compare this to a server which I’ve kept up-to-date with openssl and curl:
... -2/--sslv2 Use SSLv2 (SSL) -3/--sslv3 Use SSLv3 (SSL) ... -1/--tlsv1 Use => TLSv1 (SSL) --tlsv1.0 Use TLSv1.0 (SSL) --tlsv1.1 Use TLSv1.1 (SSL) --tlsv1.2 Use TLSv1.2 (SSL) ...
On this server I can fetch the home page with curl.
So it appears the older system does not have a compatible version of TLS. To confirm this use SSLLABS. We see this:
Sure enough, only TLS 1.2 is supported by the server, and my poor old curl doesn’t have that! Too bad for me, but it shows it’s time to upgrade.
Another problem site
askapache.com is another vexing site. On a curl version which supposedly supports tls 1.2 I get this error:
$ curl ‐‐tlsv1.2 ‐‐verbose ‐k https://askapache.com/
* About to connect() to askapache.com port 443 (#0) * Trying 188.8.131.52... connected * Connected to askapache.com (184.108.40.206) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * warning: ignoring value of ssl.verifyhost * NSS error -12286 * Closing connection #0 * SSL connect error curl: (35) SSL connect error
This is with curl version 7.19.7 on my CentOS 6.8 system.
This same site works fine on my compiled version of curl with the latest openssl, version 7.55.1. I guess the system-supplied curl is missing support for some cipher suites?
Another curl error explained
$ curl -v -i -k https://drjohnstechtalk.com/
* About to connect() to drjohnstechtalk.com port 443 (#0) * Trying 220.127.116.11... connected * Connected to drjohnstechtalk.com (18.104.22.168) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * warning: ignoring value of ssl.verifyhost * skipping SSL peer certificate verification * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 * Server certificate: * subject: CN=drjohnstechtalk.com,C=US * start date: Apr 03 00:00:00 2017 GMT * expire date: Apr 03 23:59:59 2019 GMT * common name: drjohnstechtalk.com * issuer: CN=Trusted Secure Certificate Authority 5,O=Corporation Service Company,L=Wilmington,ST=DE,C=US > GET / HTTP/1.1 > Host: drjohnstechtalk.com > Accept: */* > User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; .NET CLR 3.0.04506.30; > * SSL read: errno -5961 * Closing connection #0 curl: (56) SSL read: errno -5961
What’s going on?
In this test drjohnstechtalk.com was behind a load balancer. The load balancer had SSL configured. The back-end server was not running however though the load balancer’s health check did not detect that condition. So the load balancer permitted the initial connection, but then shut things off when it could not open a connection to the back-end server. So this error has nothing to do with curl showing its age, but I didn’t know that when i started debugging it.
A TLS version error is explained, as well as the way it came about. Another curl/SSL error is also explained.
References and related
I eventually came up with the solution: compile my own updated version of curl! I describe how I did it in this blog post.