I am working on an application that needs to talk to different HTTPS servers. There are times when the server simply ignores the SSL / TLS Hello client (the Hello server is not returned).
The problem would appear in the code as such:
>curl32.exe -v -k --tlsv1 https://... * timeout on name lookup is not supported * About to connect() to <server> port 443 (#0) * Trying <IP>... * connected * Connected to <server> (<IP>) port 443 (#0) * successfully set certificate verify locations: * CAfile: ./cacert.test.pem CApath: none * Unknown SSL protocol error in connection to <Server>:443 * Closing connection #0 ===> CURLcode is: 35
Return Code: CURLE_SSL_CONNECT_ERROR
When launched from OpenSsl directly, this will be fine:
OpenSSL> s_client -tls1 -connect <server>:443
I tried a different combination (specify TLS, SSL or not specify). The only common problem when the problem occurs is when the SSL / TLS version is incompatible. Therefore, in WireShark, I will see in the TCP Secure Socket Layer section:
- SSL Record Level: Confirmation Protocol: Hello Client <===
- Version: TLS 1.0 (0x0301)
- ...
- Acknowledgment Protocol: Hello Client
- ...
- Version: TLS 1.0 (0x0301)
In the right case, when I see the Hello server from the server, I will see:
- TLSv1 Record Level: Confirmation Protocol: Hello Client <===
- Version: TLS 1.0 (0x0301)
- ...
- Acknowledgment Protocol: Hello Client
- ...
- Version: TLS 1.0 (0x0301)
I'm not quite sure if this is a libcurl problem, or maybe WireShark does not decode it correctly (since the write level in both cases looks almost identical and the version 2 fields are correct), which makes libcurl a visible problem.
Any thoughts? Ideas? Similar experience? Any help is much appreciated!
source share