1

I am trying to connect to server B from server A using curl (https). I have already tried with -k and it doesn't work.

I have looked into several posts and I spotted blog on this link but still issue exists.

When I do a curl from server A, I am getting following error: 

* Rebuilt URL to: https://x.x.x.x:8443/
* Hostname was NOT found in DNS cache
*   Trying x.x.x.x...
* Connected to x.x.x.x (x.x.x.x) port 8443 (#0)
* successfully set certificate verify locations:
*   CAfile: /tmp/cert_test/certRepo
  CApath: /etc/ssl/certs/
* SSLv3, TLS handshake, Client hello (1):
* error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
* Closing connection 0
curl: (35) error:140770FC:**SSL routines:SSL23_GET_SERVER_HELLO:**unknown protocol

I went on the server B (https://x.x.x.x:8443/) from the browser and downloaded the root, intermediate and the client certificate. As suggested in the blog, I have created a new folder and combined all the public certs into one directory and tried to execute the curl command

curl -v --cacert /tmp/cert_test/certRepo https://x.x.x.x:8443

I am getting GET_SERVER_HELLO:unknown protocol

any thoughts?

Curl version from the Client machine:

curl 7.37.0 (x86_64-suse-linux-gnu) 
libcurl/7.37.0 OpenSSL/0.9.8j 
zlib/1.2.7 
libidn/1.10
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smtp smtps telnet 
tftp 
Features: GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz

I am very sure the server is using TLSv1.2.

user3384231
  • 3,641
  • 2
  • 18
  • 27
  • "GET_SERVER_HELLO:unknown protocol" typically means you are connecting to something that does not speak TLS at all. Make sure it is configured properly. It can not be a certificate problems, since that happens after, here your client sent its ClientHello TLS record and expected back a ServerHello TLS record but good garbage (that is not TLS) instead. Also IP addresses in HTTPS urls are not a good idea. And this is not very programming related, so offtopic here for now. – Patrick Mevzek Aug 02 '19 at 19:58
  • @PatrickMevzek the server does understand TLS v 1.2 as other applications are connecting to it correctly.Is there any way I can specify in the CURL, TLS version? – user3384231 Aug 04 '19 at 15:55
  • @PatrickMevzek I have done the set up with hostname, not using IP address anymore. – user3384231 Aug 04 '19 at 16:15
  • @PatrickMevzek I noticed: SSLv3, TLS handshake, Client hello (1):, the server understands....could it be that the curl is using sslv3 and the server only understand TLS v1.2? any thoughts? – user3384231 Aug 04 '19 at 16:30
  • Could you add output of test `https://x.x.x.x:8443/`, which will be made by `github.com/drwetter/testssl.sh`, please? There will be listed all supported TLS versions/ciphers. – Jan Garaj Aug 06 '19 at 06:01
  • @JanGaraj the admin guys managing the environment won't allow me to add any external files due to security concerns. – user3384231 Aug 06 '19 at 09:49
  • Does this site help? https://www.ssl247.com/kb/ssl-certificates/troubleshooting/apache/ssl-routine-error-140770fc-unknown-protocol-apache – zomega Aug 06 '19 at 18:29
  • openssl 0.9.8j was released 10.5 years ago. It does not support TLS 1.2 - https://stackoverflow.com/questions/48178052/when-was-tls-1-2-support-added-to-openssl – Tomer Aug 12 '19 at 02:29

1 Answers1

1

you did not post your curl/libssl version, but my best guess is that you're using an ancient build of a ssl/tls library, and/or an ancient version of curl which does not support whatever version of ssl/tls that server us ysubg. update your libssl and curl and try again. also post the output of curl --version.

PS, if you're on linux, you can get rough curl+openssl compile instructions here.

hanshenrik
  • 19,904
  • 4
  • 43
  • 89
  • Updated my question with the client version of CURL and TLS version from the server. from your experience do you think its because of version mismatch between client and server? Is there any other information I can find out from the server that will help further? – user3384231 Aug 07 '19 at 12:52
  • @user3384231 curl version 7.37.0 is from 2014, it's 5-6 years old, update to a 2019 version and try again... – hanshenrik Aug 07 '19 at 12:53
  • Ok. I will check with admin as I don't have access rights to update the curl version. Thanks. Will let you know. – user3384231 Aug 07 '19 at 12:54
  • @user3384231 do you have to use the OS-supplied version of curl? can't you just add your own curl in your own folder? (if the sysadmin don't want to update, at least) – hanshenrik Aug 07 '19 at 12:56
  • yeah, I have this option in mind. I will check if they can allow me to install curl in my own directory. – user3384231 Aug 07 '19 at 13:03
  • @user3384231 if you want to give the sysadmins some convincing arguments to update curl, show them this page: https://curl.haxx.se/docs/vuln-7.37.0.html - good luck. (that page is specifically about curl version 7.37.0) – hanshenrik Aug 07 '19 at 13:04
  • Thanks. :) You made my life easy. This will help in justifying. – user3384231 Aug 07 '19 at 13:05