1 (edited by pcollinson 2015-04-22 15:27:59)

Topic: Curl woes

Suddenly curl to a previously working machine has stopped working saying

Unknown SSL protocol error in connection to ....

This is to a Windows wsdl site - and using a browser from my machines will return the XML page so browsers are happy with the handshake.

Pointing Chrome at the machine says:

Your connection to .....  is encrypted with obsolete cryptography.

The connection uses TLS 1.2.

The connection is encrypted using AES_128_CBC, with SHA1 for message authentication and RSA as the key exchange mechanism.

But I don't think I have much ability to change this.

curl from my Mac - works.

Curl from my Centos 5 and Centos 6 machines doesn't. All Centos systems are running remi curl.

It looks to me that things are dying very early on in the TLS handshake - I see about 6 packets in the transaction.

I've tried various Cypher settings, I've tried using the same ca cert bundle that works on my Mac - but things still fail.

I cannot give you the target machine - because it's firewall protected.

Any ideas about what I can try next? AKA HELP!!

I guess I should include versions:

curl.x86_64 -  7.15.5-17.el5_9

and
curl.x86_64  -  7.19.7-40.el6_6.4

Re: Curl woes

> All Centos systems are running remi curl.
Can't be true.
I only provides curl-7.29.0-19.el5 for EL-5, which is a backport of EL-7 version (and mostly for php-curl)
7.15.5-17.el5_9 and 7.19.7-40.el6_6.4 are from base repo.

Sorry, no idea...

Laptop:  Fedora 38 + rpmfusion + remi (SCL only)
x86_64 builder: Fedora 39 + rpmfusion + remi-test
aarch64 builder: RHEL 9 with EPEL
Hosting Server: CentOS 8 Stream with EPEL, rpmfusion, remi

Re: Curl woes

Which PHP version ?
(soap is mostly broken in 5.5.23/5.6.7)

Laptop:  Fedora 38 + rpmfusion + remi (SCL only)
x86_64 builder: Fedora 39 + rpmfusion + remi-test
aarch64 builder: RHEL 9 with EPEL
Hosting Server: CentOS 8 Stream with EPEL, rpmfusion, remi

Re: Curl woes

Thanks for your time Remi.

I am using nusoap to talk to the other system - which seems to do the job after some persuading even though it's bit old. I was only using the curl cli command because it was breaking too and was easier to test with. What's odd is that firefox on the systems will pull the page fine, but curl (and curl in PHP) won't.

However, I've just discovered from my Mac that if I attempt to talk to the other system forcing sslv2 or sslv3 - then it fails. So the server is probably using sslv1 -  is it reasonable to think that our systems have stopped supporting sslv1?

Is this down to openssl rather than curl? There was an openssl update recently - about 5/6 days ago.


Versions:
The CentOS 5 & CentOS 6 machines are PHP5.5 - and up-to-date.

Re: Curl woes

Yes, this is probably related to openssl (used by curl)

Laptop:  Fedora 38 + rpmfusion + remi (SCL only)
x86_64 builder: Fedora 39 + rpmfusion + remi-test
aarch64 builder: RHEL 9 with EPEL
Hosting Server: CentOS 8 Stream with EPEL, rpmfusion, remi

Re: Curl woes

Thanks for your assistance - I now think that the other end is not responding for some reason.

Re: Curl woes

Thanks for your support in this issue. It did turn out to be the server that had 'hardened' their connection and the problem was with the SSL that is supported by openssl on CentOs 5.

Re: Curl woes

smile

Closing this one.

Laptop:  Fedora 38 + rpmfusion + remi (SCL only)
x86_64 builder: Fedora 39 + rpmfusion + remi-test
aarch64 builder: RHEL 9 with EPEL
Hosting Server: CentOS 8 Stream with EPEL, rpmfusion, remi