On Fri, Mar 23, 2012 at 07:02:34PM +0100, Kurt Roeckx wrote:
> On Fri, Mar 23, 2012 at 06:38:40PM +0100, Alessandro Ghedini wrote:
> > Hi Kurt,
> >
> > curl 7.25.0 was released yesterday and I'm now working on updating the
> > Debian package. A problem come up though with the --ssl-enable-beast
> > new option of curl (which should fix the bug that you have reported)
> > and the new version of openssl. If I build curl against the current
> > version 1.0.1-2 (uploaded a few days ago) of libssl the option has no
> > effect with the URL you posted above and curl fails with the error:
> >
> > curl: (35) error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
> > unexpected message
> >
> > (the 35 means that the error happened in the SSL handshake).
> >
> > But if I build with a slightly older libssl (1.0.0h-1) the option works
> > as expected and if the option is not used at all the error is the same
> > that you reported ("Empty reply from server").
> >
> > Now, since you did the openssl uploads, do you know of any change in
> > openssl that may have caused this problem and if there's anything that
> > can be done on the curl's side to fix it?
>
> So I see:
> openssl s_client -connect www.eboekhuis.nl:443
> CONNECTED(00000003)
> 140090768766632:error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
> alert unexpected message:s23_clnt.c:708:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 324 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> ---
>
> But it works when I use:
> openssl s_client -no_tls1_2 -no_tls1_1 -connect www.eboekhuis.nl:443
>
>
> Tls1.1 and 1.2 support is new since openssl 1.0.1.
>
> I'm not sure what to do about this. I can at least let them know that that
> is an issue too.
> But maybe I should contact upstream openssl so they can take a look too that
> it's not a bug
> in openssl.
Indeed, explicitly setting TLSv1 (--tlsv1 option in curl) works. I was afraid
this was a new bug in curl's OpenSSL code but apparently it's not (or at least
it is not as grave as I thought). I'll go on with the curl uploads then.
Thanks
--
perl -E'$_=q;$/= @{[@_]};and s;\S+;<inidehG ordnasselA>;eg;say~~reverse'
signature.asc
Description: Digital signature
