2

I have a problem with self-signed SSL certificate and curl.

Server is lighttpd. HTTPS works fine:

$ curl https://192.168.144.1/zxc -k
HELLO

But with redirection from HTTP it fails:

curl http://192.168.144.1:81/zxc -kvL
*   Trying 192.168.144.1...
* TCP_NODELAY set
* Connected to 192.168.144.1 (192.168.144.1) port 81 (#0)
> GET /zxc HTTP/1.1
> Host: 192.168.144.1:81
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Location: https://192.168.144.1:81/zxc
< Content-Length: 0
< Date: Sat, 30 May 2020 06:59:57 GMT
< Server: lighttpd/1.4.48
<
* Connection #0 to host 192.168.144.1 left intact
* Issue another request to this URL: 'https://192.168.144.1:81/zxc'
* Hostname 192.168.144.1 was found in DNS cache
*   Trying 192.168.144.1...
* TCP_NODELAY set
* Connected to 192.168.144.1 (192.168.144.1) port 81 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):

........... HERE IT STACKS FOR A MINUTE ....................

* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 192.168.144.1:81
* stopped the pause stream!
* Closing connection 1
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 192.168.144.1:81

One possible solution I found here https://stackoverflow.com/a/44494250/3743145: CURLOPT_SSL_VERIFYPEER=false. How to pass it to CURL CLI?

kyb
  • 7,233
  • 5
  • 52
  • 105
  • Are you on a Mac? I am seeing that the cert in /etc/ssl/cert.pem expired today. I have the same issue on my Mojave computer, I don't know how to renew it, nor get an updated one? My Catalina computer has a newer cert, I am wondering if it is possible to just copy it. – naterudd May 30 '20 at 13:20

2 Answers2

2
> * LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 192.168.144.1:81

The error is SSL_ERROR_SYSCALL and this has nothing to do with certificate validation. In fact, a closer look at what you are doing shows that you are redirecting from plain HTTP on port 81 to HTTPS on the same port. 

curl http://192.168.144.1:81/zxc -kvL
...
< HTTP/1.1 301 Moved Permanently
< Location: https://192.168.144.1:81/zxc

This is very different from what you've tested before where you used HTTPS on the standard port (443). And it is very likely that your HTTP server does not speak HTTP and HTTPS on the same port 81 - most servers don't even support such kind of configuration.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • Thank you. I have created new question about how to fix this problem. Please take a look https://stackoverflow.com/questions/62109311/lighttpd-redirect-from-custom-http-port-81-to-https-port-443 – kyb May 30 '20 at 22:19
0

I had the similar problem and had fixed by making sure the private key in my cert is in correct format. https://sysadminupdates.com/blog/2021/06/22/ssl-error-libressl-ssl_connect-ssl_error_syscall/

user2619052
  • 89
  • 7