When I try to CURL a website I get SSL error

ssl curl openssl tls
20,486

Solution 1

The Website uses the old TLS protocol version 1.0, which has been disabled by default since Ubuntu 20.04.

To temporarily override the default for your curl command, you can create a config file somewhere (e.g. ~/.openssl_allow_tls1.0.cnf with following content:

openssl_conf = openssl_init

[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
CipherString = DEFAULT@SECLEVEL=1

Then run your command like this:

OPENSSL_CONF=~/.openssl_allow_tls1.0.cnf curl -v https://imenik.tportal.hr/show?action=pretraga&type=bijeleStranice

(this will only set OPENSSL_CONF for that single command)

or

export OPENSSL_CONF=~/.openssl_allow_tls1.0.cnf
curl -v https://imenik.tportal.hr/show?action=pretraga&type=bijeleStranice

(this will only set OPENSSL_CONF for the current session or script)

You could also set it globally in /etc/ssl/openssl.cnf, but it has been disabled for good reasons and I would only override that when necessary.

(via)

Solution 2

Edit the openssl.conf file:

sudo nano /etc/ssl/openssl.cnf

Add this line at the top:

openssl_conf = openssl_init

And add these lines at the end:

[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
CipherString = DEFAULT@SECLEVEL=1

It works for me. :)

For the Laravel, also run

sudo service php7.4-fpm restart
Share:
20,486
Misko Mali
Author by

Misko Mali

Updated on September 18, 2022

Comments

  • Misko Mali
    Misko Mali over 1 year

    I installed Ubuntu 20 on my VPS. This is why I'm trying to do:

    curl -v https://imenik.tportal.hr/show?action=pretraga&type=bijeleStranice
[1] 438975
root@vps:/var/www/html/tportal# *   Trying 195.29.166.100:443...
* TCP_NODELAY set
* Connected to imenik.tportal.hr (195.29.166.100) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS alert, protocol version (582):
* error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
* Closing connection 0
curl: (35) error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol

    But when I try like this, it kinda works

    curl -v http://imenik.tportal.hr/show?action=pretraga&type=bijeleStranice
[1] 438977
root@vps:/var/www/html/tportal# *   Trying 195.29.166.100:80...
* TCP_NODELAY set
* Connected to imenik.tportal.hr (195.29.166.100) port 80 (#0)
> GET /show?action=pretraga HTTP/1.1
> Host: imenik.tportal.hr
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Date: Tue, 16 Jun 2020 07:44:32 GMT
< Server: Apache/2.2.3 (CentOS)
< Location: https://imenik.tportal.hr/show?action=pretraga
< Content-Length: 336
< Connection: close
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://imenik.tportal.hr/show?action=pretraga">here</a>.</p>
<hr>
<address>Apache/2.2.3 (CentOS) Server at imenik.tportal.hr Port 80</address>
</body></html>
* Closing connection 0

    I can't find a solution to this SSL problem

  • Misko Mali
    Misko Mali almost 4 years
    This fixed the problem :) Thank you very much. If I want to go back to original configuration, I should do this: export OPENSSL_CONF= /etc/ssl/openssl.cnf ?
  • pLumo
    pLumo almost 4 years
    You don't need to do anything, the environment variable is only valid until you close the terminal or to the end of the script. But, if you still want to change back in the current session, you can just run export OPENSSL_CONF= (set blank). Or just use the first command in my answer, setting the env var in the same line as the curl command, then it is only valid for that single command.
  • Misko Mali
    Misko Mali almost 4 years
    Great. One last question, how do I set it globally in /etc/ssl/openssl.cnf since I need it for longer period of time? I did it like this [ system_default_sect ] CipherString = DEFAULT@SECLEVEL=1 but it's not working
  • pLumo
    pLumo almost 4 years
    I would say you can just add the whole thing at the end (not tested). But can't you just run export OPENSSL_CONF=~/.openssl_allow_tls1.0.cnf whenever you need it?
  • Misko Mali
    Misko Mali almost 4 years
    That is actually good idea, I'll try it. Thank you very much
  • Nux
    Nux over 2 years
    This also works if you have an Apache 2.4.41 with https proxy to an old server (e.g. Apache 2.2). No changes in Apache needed after upgrade to Ubunto 20. Just this openssl.cnf change and reboot.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

curl: (35) error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version /home/mohan/mesg
Ubuntu 16.04 openssl s_client write:errno=104
Disable SSLv3 In cURL?
Curl: unable to get local issuer certificate. How to debug?
Laravel Guzzle : curl error 77 error setting certificate verify locations
/usr/local/ssl/lib/libcrypto.a: could not read symbols: Bad value
curl: RSA_padding_check_PKCS1_type_1:invalid padding
SSL certificate generated with OpenSSL not working on NSS
cURL says certificate is expired, Firefox disagrees
How force that all connections to my Apache use TLSv1.1 or TLSv1.2?