CURL/wget – SSLv3, TLS handshake, CERT hangs

curlhttpsssl

I have problems connecting to https sites using cURL or wget. When I download from a https curl seems to be stuck while doing the TLS handshake, CERT.
The problem is independent of the site (I noticed it using github) and wget is hanging too (although I didn't look into the verbose outputs there).

$ curl -v --trace-time https://www.google.de
10:35:21.532822 * About to connect() to www.google.de port 443 (#0)
10:35:21.533091 *   Trying 209.85.148.147... connected
10:35:21.538666 * Connected to www.google.de (209.85.148.147) port 443 (#0)
10:35:21.539119 * SSLv3, TLS handshake, Client hello (1):
10:35:21.544129 * SSLv3, TLS handshake, Server hello (2):
10:35:21.544182 * SSLv3, TLS handshake, CERT (11):

I have waited >10 min but nothing happens. I am using OSX Lion.

$curl --version
curl 7.21.4 (universal-apple-darwin11.0) libcurl/7.21.4 OpenSSL/0.9.8r zlib/1.2.5
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smtp smtps telnet tftp 
Features: AsynchDNS GSS-Negotiate IPv6 Largefile NTLM SSL libz

I don't know where to look for help so I'd be happy if you could give me some pointers.

Thanks

Best Answer

curl -v --trace-time https://www.google.de

21:50:34.054955 * About to connect() to www.google.de port 443
21:50:34.056574 *   Trying 74.125.39.104... connected
21:50:34.104587 * Connected to www.google.de (74.125.39.104) port 443
21:50:34.313259 * successfully set certificate verify locations:
21:50:34.313349 *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
21:50:34.313758 * SSLv2, Client hello (1):
SSLv3, TLS handshake, Server hello (2):
SSLv3, TLS handshake, CERT (11):
SSLv3, TLS handshake, Server finished (14):
SSLv3, TLS handshake, Client key exchange (16):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSL connection using RC4-SHA
21:50:34.418541 * Server certificate:
21:50:34.418631 *        subject: /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
21:50:34.418726 *        start date: 2011-10-26 00:00:00 GMT
21:50:34.418799 *        expire date: 2013-09-30 23:59:59 GMT
21:50:34.418902 * SSL: certificate subject name 'www.google.com' does not match target host name 'www.google.de'
21:50:34.419000 * Closing connection #0
21:50:34.419124 * SSLv3, TLS alert, Client hello (1):
curl: (51) SSL: certificate subject name 'www.google.com' does not match target host name 'www.google.de'

It seems you are not able to verify the certificate since you are missing the ca-bundle.crt. This belongs (in CentOS 5) to the openssl-rpm.

Related Solutions

Disable SSLv3 In cURL

It looks like this problem is caused by the version of cURL not supporting ECC 256 bit SSL certificates and the ECDSA signature algorithm (which is used by CloudFlare). You can test to see if your version of cURL supports this encryption by running:

curl -1IsS --ciphers ecdhe_ecdsa_aes_128_sha https://sslspdy.com

If you get the following, then your cURL is out of date:

curl: (59) Unknown cipher in list: ecdhe_ecdsa_aes_128_sha

Otherwise, if it connects and doesn't display an error then it is up to date.

Since CentOS seems to thoroughly screen updates before they are applied to their packages, it's hard to say when this will be fixed. The ONLY way to get around this is by updating cURL, passing -k or --insecure won't work.

How to fix curl sslv3 alert handshake failure

Some sites disable support for SSL 3.0 (possible because of many exploits/vulnerabilities), so it's possible to force specific SSL version by either -2/--sslv2 or -3/--sslv3. Also -L is worth a try if requested page has moved to a different location.

In my case it was a curl bug (found in OpenSSL), so curl needed to be upgraded to the latest version (>7.40) and it worked fine.

Best Answer

Related Solutions

Disable SSLv3 In cURL

How to fix curl sslv3 alert handshake failure

Related Question