How to fix curl sslv3 alert handshake failure on Gentoo?

curl ssl https handshake
18,651

Basically, https://www.rocketleaguereplays.com uses outdated encryption (SSL3), you can force curl to connect to insecure sites like this using the -k (--insecure) switch.

Try this: curl -kvH "Accept: application/json" https://www.rocketleaguereplays.com/api/replays/-1/

You could also try using the -3 aka --sslv3 switch, however, if curl was built without SSL3 support, then you need to compile your own version of curl, enabling SSL3.

EDIT: The op has found the problem.

I got confused by the error message.

This is a bug in gentoo:

https://bugs.gentoo.org/show_bug.cgi?id=531540

Basically, when you build openssl with the bindist flag, the elyptic curve crypto is disabled. This site requires elyptic curve cryptography.

When I run this, I get the following:

$ curl -vH "Accept: application/json" https://www.rocketleaguereplays.com/api/replays/-1/ * STATE: INIT => CONNECT handle 0x6000572d0; line 1090 (connection #-5000) * Added connection 0. The cache now contains 1 members * Trying 2400:cb00:2048:1::6818:7353... * STATE: CONNECT => WAITCONNECT handle 0x6000572d0; line 1143 (connection #0) * Connected to www.rocketleaguereplays.com (2400:cb00:2048:1::6818:7353) port 443 (#0) * STATE: WAITCONNECT => SENDPROTOCONNECT handle 0x6000572d0; line 1240 (connection #0) * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0x6000572d0; line 1254 (connection #0) * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Client hello (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Client hello (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256 <---- [...]

So my curl uses elyptic curve with this site.

Share:
18,651

Related videos on Youtube

Hanashi
Author by

Hanashi

Data engineer

Updated on September 18, 2022

Comments

  • Hanashi
    Hanashi over 1 year

    I'm trying open a website with cURL like this:

    $ curl -vH "Accept: application/json" https://www.rocketleaguereplays.com/api/replays/-1/

    The output is:

    *   Trying 104.24.114.83...
* Connected to www.rocketleaguereplays.com (104.24.114.83) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Unknown (21):
* TLSv1.2 (IN), TLS alert, Server hello (2):
* error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

    I have Linux kernel 4.4.0 and the newest cURL version installed:

    $ curl -V
curl 7.47.1 (x86_64-pc-linux-gnu) libcurl/7.47.1 OpenSSL/1.0.2f zlib/1.2.8 c-ares/1.10.0 nghttp2/1.6.0
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile NTLM SSL libz TLS-SRP HTTP2 UnixSockets

    How can I fix this? On Ubuntu it works fine with cURL and same URL.

    • Hanashi
      Hanashi about 8 years
      Now I fixed it. OpenSSL was compiled with the "bindist" USE-Flag. It works without this.
  • Hanashi
    Hanashi about 8 years
    Thank you, but there is the same error :(
  • Brandon Condrey
    Brandon Condrey almost 4 years
    @Hanashi then why would you accept this answer
  • thecarpy
    thecarpy almost 4 years
    I think he accepted the answer after the Edit.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

OS X 10.11.6 El Capitan SSLRead() return error -9841
SSL: unable to obtain common name from peer certificate
HttpClient: ssl handshake on every request
Enabling SSL Support for CURL in XAMPP
Why I cannot connect to my website in HTTP using curl?
Curl, lynx etc not accepting certificate locally but OK remotely
SSL23_GET_SERVER_HELLO:reason(1112) issue curl 7.25.0
Https connection, TLS hangs and eventually fails SSL_ERROR_SYSCALL
"server certificate verification OK" but "ALPN, server did not agree to a protocol"
How can I update certificates on my system to fix wget's error: "Unable to establish SSL connection."?