How to fix curl sslv3 alert handshake failure on Gentoo?
Basically, https://www.rocketleaguereplays.com uses outdated encryption (SSL3), you can force curl to connect to insecure sites like this using the -k (--insecure) switch.
Try this:
curl -kvH "Accept: application/json" https://www.rocketleaguereplays.com/api/replays/-1/
You could also try using the -3
aka --sslv3
switch, however, if curl was built without SSL3 support, then you need to compile your own version of curl, enabling SSL3.
EDIT: The op has found the problem.
I got confused by the error message.
This is a bug in gentoo:
https://bugs.gentoo.org/show_bug.cgi?id=531540
Basically, when you build openssl with the bindist flag, the elyptic curve crypto is disabled. This site requires elyptic curve cryptography.
When I run this, I get the following:
$ curl -vH "Accept: application/json" https://www.rocketleaguereplays.com/api/replays/-1/
* STATE: INIT => CONNECT handle 0x6000572d0; line 1090 (connection #-5000)
* Added connection 0. The cache now contains 1 members
* Trying 2400:cb00:2048:1::6818:7353...
* STATE: CONNECT => WAITCONNECT handle 0x6000572d0; line 1143 (connection #0)
* Connected to www.rocketleaguereplays.com (2400:cb00:2048:1::6818:7353) port 443 (#0)
* STATE: WAITCONNECT => SENDPROTOCONNECT handle 0x6000572d0; line 1240 (connection #0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0x6000572d0; line 1254 (connection #0)
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256 <----
[...]
So my curl uses elyptic curve with this site.
Related videos on Youtube
Comments
-
Hanashi over 1 year
I'm trying open a website with cURL like this:
$ curl -vH "Accept: application/json" https://www.rocketleaguereplays.com/api/replays/-1/
The output is:
* Trying 104.24.114.83... * Connected to www.rocketleaguereplays.com (104.24.114.83) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS header, Unknown (21): * TLSv1.2 (IN), TLS alert, Server hello (2): * error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure * Closing connection 0 * TLSv1.2 (OUT), TLS alert, Client hello (1): curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
I have Linux kernel 4.4.0 and the newest cURL version installed:
$ curl -V curl 7.47.1 (x86_64-pc-linux-gnu) libcurl/7.47.1 OpenSSL/1.0.2f zlib/1.2.8 c-ares/1.10.0 nghttp2/1.6.0 Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smtp smtps telnet tftp Features: AsynchDNS IPv6 Largefile NTLM SSL libz TLS-SRP HTTP2 UnixSockets
How can I fix this? On Ubuntu it works fine with cURL and same URL.
-
Hanashi about 8 yearsNow I fixed it. OpenSSL was compiled with the "bindist" USE-Flag. It works without this.
-
-
Hanashi about 8 yearsThank you, but there is the same error :(
-
Brandon Condrey almost 4 years@Hanashi then why would you accept this answer
-
thecarpy almost 4 yearsI think he accepted the answer after the Edit.