When I try to CURL a website I get SSL error
Solution 1
The Website uses the old TLS protocol version 1.0, which has been disabled by default since Ubuntu 20.04.
To temporarily override the default for your curl
command, you can create a config file somewhere (e.g. ~/.openssl_allow_tls1.0.cnf
with following content:
openssl_conf = openssl_init
[openssl_init]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
CipherString = DEFAULT@SECLEVEL=1
Then run your command like this:
OPENSSL_CONF=~/.openssl_allow_tls1.0.cnf curl -v https://imenik.tportal.hr/show?action=pretraga&type=bijeleStranice
(this will only set OPENSSL_CONF
for that single command)
or
export OPENSSL_CONF=~/.openssl_allow_tls1.0.cnf
curl -v https://imenik.tportal.hr/show?action=pretraga&type=bijeleStranice
(this will only set OPENSSL_CONF
for the current session or script)
You could also set it globally in /etc/ssl/openssl.cnf
, but it has been disabled for good reasons and I would only override that when necessary.
(via)
Solution 2
Edit the openssl.conf
file:
sudo nano /etc/ssl/openssl.cnf
Add this line at the top:
openssl_conf = openssl_init
And add these lines at the end:
[openssl_init]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
CipherString = DEFAULT@SECLEVEL=1
It works for me. :)
For the Laravel, also run
sudo service php7.4-fpm restart
Misko Mali
Updated on September 18, 2022Comments
-
Misko Mali over 1 year
I installed Ubuntu 20 on my VPS. This is why I'm trying to do:
curl -v https://imenik.tportal.hr/show?action=pretraga&type=bijeleStranice [1] 438975 root@vps:/var/www/html/tportal# * Trying 195.29.166.100:443... * TCP_NODELAY set * Connected to imenik.tportal.hr (195.29.166.100) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (OUT), TLS alert, protocol version (582): * error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol * Closing connection 0 curl: (35) error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
But when I try like this, it kinda works
curl -v http://imenik.tportal.hr/show?action=pretraga&type=bijeleStranice [1] 438977 root@vps:/var/www/html/tportal# * Trying 195.29.166.100:80... * TCP_NODELAY set * Connected to imenik.tportal.hr (195.29.166.100) port 80 (#0) > GET /show?action=pretraga HTTP/1.1 > Host: imenik.tportal.hr > User-Agent: curl/7.68.0 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 301 Moved Permanently < Date: Tue, 16 Jun 2020 07:44:32 GMT < Server: Apache/2.2.3 (CentOS) < Location: https://imenik.tportal.hr/show?action=pretraga < Content-Length: 336 < Connection: close < Content-Type: text/html; charset=iso-8859-1 < <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="https://imenik.tportal.hr/show?action=pretraga">here</a>.</p> <hr> <address>Apache/2.2.3 (CentOS) Server at imenik.tportal.hr Port 80</address> </body></html> * Closing connection 0
I can't find a solution to this SSL problem
-
Misko Mali almost 4 yearsThis fixed the problem :) Thank you very much. If I want to go back to original configuration, I should do this:
export OPENSSL_CONF= /etc/ssl/openssl.cnf
? -
pLumo almost 4 yearsYou don't need to do anything, the environment variable is only valid until you close the terminal or to the end of the script. But, if you still want to change back in the current session, you can just run
export OPENSSL_CONF=
(set blank). Or just use the first command in my answer, setting the env var in the same line as thecurl
command, then it is only valid for that single command. -
Misko Mali almost 4 yearsGreat. One last question, how do I set it globally in
/etc/ssl/openssl.cnf
since I need it for longer period of time? I did it like this[ system_default_sect ] CipherString = DEFAULT@SECLEVEL=1
but it's not working -
pLumo almost 4 yearsI would say you can just add the whole thing at the end (not tested). But can't you just run
export OPENSSL_CONF=~/.openssl_allow_tls1.0.cnf
whenever you need it? -
Misko Mali almost 4 yearsThat is actually good idea, I'll try it. Thank you very much
-
Nux over 2 yearsThis also works if you have an Apache 2.4.41 with https proxy to an old server (e.g. Apache 2.2). No changes in Apache needed after upgrade to Ubunto 20. Just this
openssl.cnf
change and reboot.