Running curl with OpenSSL 0.9.8 against OpenSSL 1.0.0 server causes handshake error?

Question

If I run curl against a machine that is running OpenSSL 1.0.0e for example:

curl -v https://shumaker.flexrentalsolutions.com

on a machine that is running OpenSSL 0.9.8r I get the following error:

About to connect() to shumaker.flexrentalsolutions.com port 443 (#0)
*   Trying 50.112.122.15... connected
* Connected to shumaker.flexrentalsolutions.com (50.112.122.15) port 443 (#0)
* SSLv3, TLS handshake, Client hello (1):
* error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112)
* Closing connection #0

If I run the same curl command on a machine that is running OpenSSL 1.0.0e the command completes without any problem.

It appears the handshake is not completing properly, apparently due to some incompatibility between the two OpenSSL versions.

Any idea how to fix this?

score 13 · Answer 1 · answered Jun 21 '13 at 12:27

13

If you set the openssl version in the protocol, it works:

For the command line:

curl -v -3 https://shumaker.flexrentalsolutions.com

If in php:

curl_setopt($ch, CURLOPT_SSLVERSION,3);

answered Jun 21 '13 at 12:27

jbaylina

4,408
1
30
39

I had this openssl bug error mentioned by the OP. The solution by @jbaylina solved my problem. thank you! – ThinkBonobo Nov 18 '13 at 03:26

Daniel Stenberg · Accepted Answer · 2013-08-12T21:34:02.903

6

This is an (OpenSSL) bug that's still open. Details have been posted in this curl bug report.

Further details was posted to OpenSSL-dev by "mancha".

edited Aug 12 '13 at 21:34

answered Dec 23 '11 at 22:41

Daniel Stenberg

54,736
17
146
222

I was able to get Apache to use OpenSSL 0.9.8 by using a mod_ssl module build that pointed to OpenSSL 0.9.8. Making that change took care of the problem. Any idea when the OpenSSL 1.0.0 bug will be fixed? – rogiller Dec 30 '11 at 15:27

score 0 · Answer 3 · edited May 21 '15 at 13:08

0

Now due to the POODLE vulnerability many sites are now disabling SSL 3.0

You should use TLS like this :

curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1)

If you still have error (for Apache) check if your vhost get the correct setting ServerName

edited May 21 '15 at 13:08

Syed Ali Salman

2,894
4
33
48

answered May 21 '15 at 12:20

Xixi

1
2

POODLE did not exist in 2011. We knew the padding bug existed as early as 2005 or so, but most folks chose to ignore it. Browsers were part of the problem because they kept SSLv3 enabled for so long. See Loren Weith's [Differences Between SSLv2, SSLv3, and TLS](http://www.yaksman.org/~lweith/ssl.pdf). – jww May 21 '15 at 21:18

score 0 · Answer 4 · answered Feb 02 '16 at 07:34

I have this issue on OS X using brew on some https servers, brew uses curl internally. Note this is only on OS X 10.7.5, which is stuck on OpenSSL/0.9.8r. I would upgrade but apple don't support > 10.7 on this iMac!

My fix was to upgrade curl with brew, which ups the version to 1.0.2f, luckily the brew install of curl doesn't

brew install curl

score 0 · Answer 5 · edited May 21 '15 at 21:14

0

This isn't a good solution, but it's better than wheel spinning, so I'm going to add it here as an answer:

Use the GnuTLS module instead of mod_ssl, if you can. It's not bound to OpenSSL, so this horrible, day-wasting problem is neatly sidestepped.

edited May 21 '15 at 21:14

jww

97,681
90
411
885

answered Jan 18 '12 at 19:40

scoates

853
7
11

Running curl with OpenSSL 0.9.8 against OpenSSL 1.0.0 server causes handshake error?

5 Answers5

Linked