1

On my ubuntu 14.04 LTS-server SSLv2 and SSLv3 are disabled. I'm running different apps on the server. One app needs to use curl to connect another app hosted on the same machine.

The problem is, that the connection works on my ubuntu 14.04 TLS-KDE-client, but not on my server itself.

On both, server and client, the same curl- and openssl-versions are running:

$ curl --version
curl 7.35.0 (x86_64-pc-linux-gnu) libcurl/7.35.0 OpenSSL/1.0.1f zlib/1.2.8 libidn/1.28 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP

$ openssl version
OpenSSL 1.0.1f 6 Jan 2014

On the client I get

$ sudo curl -X HEAD -D - https://server.foobar.net:443/owncloud/remote.php/carddav/addressbooks/foobar/kontakte/
HTTP/1.1 401 Unauthorized
Date: Wed, 09 Sep 2015 04:46:55 GMT
Server: Apache
Set-Cookie: oc6c79ce288a=hcv4snboaf31v9a4nnse5g8ts3; path=/owncloud; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: Sameorigin
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src *; font-src 'self' data:; media-src *; connect-src *
X-Robots-Tag: none
WWW-Authenticate: Basic realm="ownCloud"
Content-Type: application/xml; charset=utf-8

On the server I get

$ sudo curl -X HEAD -D - https://server.foobar.net:443/owncloud/remote.php/carddav/addressbooks/foobar/kontakte/
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

Please point me to the right direction.

Andre
  • 623
  • 2
  • 9
  • 20

2 Answers2

0

This could happen if clients do not support TLS 1.2. You could use TLS 1.1 and TLS 1.0 as fallback options. To check if your SSL-configuration is valid, use SSL Labs (https://www.ssllabs.com/ssltest/). This could help to find any wrong configurations.

You could also try to add --no-check-certificate within your curl-request.

On another post, you can read this:

A simple test is to use wget (or a browser) to request http://example.com:443 (note the http://, not https://); if it works, SSL is not enabled on port 443. To further debug this, use openssl s_client with the -debug option, which right before the error message dumps the first few bytes of the server response which OpenSSL was unable to parse. This may help to identify the problem, especially if the server does not answer with a ServerHello message. To see what exactly OpenSSL is expecting, check the source: look for SSL_R_UNKNOWN_PROTOCOL in ssl/s23_clnt.c.

In any case, looking at the apache error log may provide some insight too.

Hope this helps.

Community
  • 1
  • 1
Ben
  • 1,579
  • 4
  • 20
  • 34
0

I checked the server by https://www.ssllabs.com/ssltest/ and ist says that the certificate is valid and that the server supports TLS 1.2, 1.1 and also 1.0.

You could also try to add --no-check-certificate within your curl-request.

I also tried the -k option with curl (I think --no-check-certificate cannot be used with curl but with wget) with the same result. In the apache log I can see nothing; I think because the connection tries to come in by SSL.

With openssl s_client -debug server.foobar.net:443/owncloud/remote.php/carddav/addressbooks/foobar/kontakte/ I get this: 

140093535233696:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:795:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 295 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

EDIT: Now I got it! In the /etc/hosts of my server there was a wrong configuration.

Andre
  • 623
  • 2
  • 9
  • 20