Bug #595415 “Curl (openssl) fails to open some https URLs with “...” : Bugs : curl package : Ubuntu

Revision history for this message

Andreas Olsson (andol) wrote on 2010-11-21:

#1

I assume the curl 7.19.17 in question is the curl 7.19.7-1ubuntu1 available in Ubuntu 10.04?

I can't seem to reproduce this error against orange.sk. Possibly due/thanks to a server side change on their part?

Are you experiencing this issue against any other sites?

Changed in curl (Ubuntu):
status:	New → Incomplete

Revision history for this message

Chris May (chris-may) wrote on 2010-11-22:

#2

The URL mentioned in the original Curl thread (http://curl.haxx.se/mail/curlphp-2008-10/0001.html) still fails in the same way

$ curl https://www.etisalat.com.eg
curl: (35) error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message

$ curl --sslv3 https://www.etisalat.com.eg
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
...etc.

Revision history for this message

Chris May (chris-may) wrote on 2010-11-22:

#3

Just noticed that the failure above is very slightly different; it prints "unexpected message" rather than "illegal parameter", although it still goes away if you manually specify --sslv3.

I have servers which generate the "illegal parameter" error too, but unfortunately they're not generally accessible from the internet. If it's essential, though, I can probably make one available, or if not then I'm happy to test patches locally.

Revision history for this message

Andreas Olsson (andol) wrote on 2010-11-25:

#4

Download full text (3.8 KiB)

Ok, given that I discovered the same behavior from wget I decided going directly to openssl.

root@natty:~# openssl s_client -connect www.etisalat.com.eg:443
CONNECTED(00000003)
1432:error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message:s23_clnt.c:602:
root@natty:~#

Looks familiar?

Explicitly asking for ssl3, we get the following response:

root@natty:~# openssl s_client -ssl3 -connect www.etisalat.com.eg:443
CONNECTED(00000003)
depth=3 /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=EG/L=Cairo/ST=Cairo/O=etisalat/OU=IT/CN=*.etisalat.com.eg
   i:/C=AE/O=Etisalat/OU=Etisalat eBusiness Services/CN=Comtrust Server Certification Authority
1 s:/C=AE/O=Etisalat/OU=Etisalat eBusiness Services/CN=Comtrust Server Certification Authority
   i:/C=AE/O=Etisalat/OU=Etisalat eBusiness Services/CN=Comtrust Root Certification Authority
2 s:/C=AE/O=Etisalat/OU=Etisalat eBusiness Services/CN=Comtrust Root Certification Authority
   i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
3 s:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
   i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID5TCCAs2gAwIBAgICEEswDQYJKoZIhvcNAQEFBQAweDELMAkGA1UEBhMCQUUx
ETAPBgNVBAoTCEV0aXNhbGF0MSQwIgYDVQQLExtFdGlzYWxhdCBlQnVzaW5lc3Mg
U2VydmljZXMxMDAuBgNVBAMTJ0NvbXRydXN0IFNlcnZlciBDZXJ0aWZpY2F0aW9u
IEF1dGhvcml0eTAeFw0xMDAzMTQxMzM5MThaFw0xMjAzMTQxMzM5MThaMGkxCzAJ
BgNVBAYTAkVHMQ4wDAYDVQQHEwVDYWlybzEOMAwGA1UECBMFQ2Fpcm8xETAPBgNV
BAoTCGV0aXNhbGF0MQswCQYDVQQLEwJJVDEaMBgGA1UEAxQRKi5ldGlzYWxhdC5j
b20uZWcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMtR6BtuLt3MYE91KI0Q
ZgYUK7Qd+xb+8noqbRMnA2fWRML5slebffXjR6/MnTKd3mg4kh8+N1CYdWnnuQXq
AsY/jcgZ7aH3lPga1BeVXCbAARJfVUy4XXIh60kCg1pibz2ZdM6y/qXHccLjDwet
I7IiLUGsqYjBGv/I2DEWt1ZrAgMBAAGjggEKMIIBBjAJBgNVHRMEAjAAMEwGA1Ud
IARFMEMwQQYLKwYBBAGyXQIBAQAwMjAwBggrBgEFBQcCARYkaHR0cDovL2NvbXRy
dXN0LmV0aXNhbGF0LmFlL2Nwcy5odG1sMCYGA1UdEQQfMB2BG1RhbWVyLkVsR29o
YXJ5QGV0aXNhbGF0LmNvbTAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYB
BQUHAwEwHwYDVR0jBBgwFoAUeIDkXQxvf3/oqMvK+Q5xYj6rQrowPQYDVR0fBDYw
NDAyoDCgLoYsaHR0cDovL2NvbXRydXN0LmV0aXNhbGF0LmFlL2NybC9zZXJ2ZXJj
YS5jcmwwDQYJKoZIhvcNAQEFBQADggEBAI9mNP5zkEKRuG9DO4HDPCVNsTVmrMnt
oTK1vnzFGKAXamb87jy35yADNOYcFOH4VXOaEjtJOy9s3UUtd/A80JYw2zjyEzud
9kTdefiXBOd8pescZa8f7xzy5UPBacWBu1hxAAF0Pj8uL5QYULZmL50G4DINsDUi
DjyGAWJDyotGRqbFKX7XhJb+t793a1hvdvGFfW+QI4ovHTh8D+RK+i+/g/8oE/a4
JE3e2E+Pj7FzqrDTurkq6w0tj/24YLepudo936NpAfC7RtjxPSb647+2Tdjf4Kao
z0hjMrS30cnTjQMNw+QqQmNrNp21rKM7QHCmCnYEAWn0TkGMx5enNEA=
-----END CERTIFICATE-----
subject=/C=EG/L=Cairo/ST=Cairo/O=etisalat/OU=IT/CN=*.etisalat.com.eg
issuer=/C=AE/O=Etisalat/OU=Etisalat eBusiness Services/CN=Comtrust Server Certification Authority
---
No client certificate CA names sent
---
SSL handshake has read 3996 bytes and written 301 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server p...

Ok, given that I discovered the same behavior from wget I decided going directly to openssl.

root@natty:~# openssl s_client -connect www.etisalat.com.eg:443
CONNECTED(00000003)
1432:error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message:s23_clnt.c:602:
root@natty:~#

Looks familiar?

Explicitly asking for ssl3, we get the following response:

root@natty:~# openssl s_client -ssl3 -connect www.etisalat.com.eg:443
CONNECTED(00000003)
depth=3 /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/C=EG/L=Cairo/ST=Cairo/O=etisalat/OU=IT/CN=*.etisalat.com.eg
   i:/C=AE/O=Etisalat/OU=Etisalat eBusiness Services/CN=Comtrust Server Certification Authority
 1 s:/C=AE/O=Etisalat/OU=Etisalat eBusiness Services/CN=Comtrust Server Certification Authority
   i:/C=AE/O=Etisalat/OU=Etisalat eBusiness Services/CN=Comtrust Root Certification Authority
 2 s:/C=AE/O=Etisalat/OU=Etisalat eBusiness Services/CN=Comtrust Root Certification Authority
   i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
 3 s:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
   i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID5TCCAs2gAwIBAgICEEswDQYJKoZIhvcNAQEFBQAweDELMAkGA1UEBhMCQUUx
ETAPBgNVBAoTCEV0aXNhbGF0MSQwIgYDVQQLExtFdGlzYWxhdCBlQnVzaW5lc3Mg
U2VydmljZXMxMDAuBgNVBAMTJ0NvbXRydXN0IFNlcnZlciBDZXJ0aWZpY2F0aW9u
IEF1dGhvcml0eTAeFw0xMDAzMTQxMzM5MThaFw0xMjAzMTQxMzM5MThaMGkxCzAJ
BgNVBAYTAkVHMQ4wDAYDVQQHEwVDYWlybzEOMAwGA1UECBMFQ2Fpcm8xETAPBgNV
BAoTCGV0aXNhbGF0MQswCQYDVQQLEwJJVDEaMBgGA1UEAxQRKi5ldGlzYWxhdC5j
b20uZWcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMtR6BtuLt3MYE91KI0Q
ZgYUK7Qd+xb+8noqbRMnA2fWRML5slebffXjR6/MnTKd3mg4kh8+N1CYdWnnuQXq
AsY/jcgZ7aH3lPga1BeVXCbAARJfVUy4XXIh60kCg1pibz2ZdM6y/qXHccLjDwet
I7IiLUGsqYjBGv/I2DEWt1ZrAgMBAAGjggEKMIIBBjAJBgNVHRMEAjAAMEwGA1Ud
IARFMEMwQQYLKwYBBAGyXQIBAQAwMjAwBggrBgEFBQcCARYkaHR0cDovL2NvbXRy
dXN0LmV0aXNhbGF0LmFlL2Nwcy5odG1sMCYGA1UdEQQfMB2BG1RhbWVyLkVsR29o
YXJ5QGV0aXNhbGF0LmNvbTAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYB
BQUHAwEwHwYDVR0jBBgwFoAUeIDkXQxvf3/oqMvK+Q5xYj6rQrowPQYDVR0fBDYw
NDAyoDCgLoYsaHR0cDovL2NvbXRydXN0LmV0aXNhbGF0LmFlL2NybC9zZXJ2ZXJj
YS5jcmwwDQYJKoZIhvcNAQEFBQADggEBAI9mNP5zkEKRuG9DO4HDPCVNsTVmrMnt
oTK1vnzFGKAXamb87jy35yADNOYcFOH4VXOaEjtJOy9s3UUtd/A80JYw2zjyEzud
9kTdefiXBOd8pescZa8f7xzy5UPBacWBu1hxAAF0Pj8uL5QYULZmL50G4DINsDUi
DjyGAWJDyotGRqbFKX7XhJb+t793a1hvdvGFfW+QI4ovHTh8D+RK+i+/g/8oE/a4
JE3e2E+Pj7FzqrDTurkq6w0tj/24YLepudo936NpAfC7RtjxPSb647+2Tdjf4Kao
z0hjMrS30cnTjQMNw+QqQmNrNp21rKM7QHCmCnYEAWn0TkGMx5enNEA=
-----END CERTIFICATE-----
subject=/C=EG/L=Cairo/ST=Cairo/O=etisalat/OU=IT/CN=*.etisalat.com.eg
issuer=/C=AE/O=Etisalat/OU=Etisalat eBusiness Services/CN=Comtrust Server Certification Authority
---
No client certificate CA names sent
---
SSL handshake has read 3996 bytes and written 301 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : DES-CBC3-SHA
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 6AC3114D500CAC9F4A5135EDCFA45D905DF09FFECB10F818AF679B17062F0811F685DF6745C5B91A86D7DC3BA5770BC7
    Key-Arg   : None
    Start Time: 1290712758
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---

This using openssl 0.9.8o-1ubuntu4.2, which currently is what is in Natty.

To be honest I don't know enough about how ssl/tls is supposed to work to say whatever this is a bug in openssl or if it is due to some server side quirk.

Changed in openssl (Ubuntu):
status:	New → Incomplete
summary:	- Curl fails to open some https URLs with "illegal parameter" error + Curl (openssl) fails to open some https URLs with "illegal parameter" + error

Revision history for this message

Ralf Hildebrandt (ralf-hildebrandt) wrote on 2011-01-21:

#5

This happens to me as well, I compiled squid-3.2 from source with --enable-ssl, and I'm getting exactly the same message

Revision history for this message

Ralf Hildebrandt (ralf-hildebrandt) wrote on 2011-01-23:

#6

$ curl https://www.etisalat.com.eg
curl: (35) error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message

also happens on natty

description:

updated

Revision history for this message

Ralf Hildebrandt (ralf-hildebrandt) wrote on 2011-01-23:

#7

Marking this bug incomplete without actually say WHAT is missing to make it complete is not helping!

Changed in openssl (Ubuntu):
status:	Incomplete → Confirmed

Revision history for this message

Stefan Kriwanek (Divan) (dev-stefankriwanek) wrote on 2012-03-14:

#8

Download full text (5.3 KiB)

I have got another curl example for reproduction of the bug. It only fails if curl is provided with a cookies file, which I can only provide on request (want to keep it private as possible). This example did work well in Natty (no idea about Oneiric)

The line is (no, you can not remove the long data part):

/usr/bin/curl -b/home/stefan/.geocookies -c/home/stefan/.geocookies -d'__VIEWSTATE=/wEPDwUKLTIxMjA4MDI5OA8WAh4OTG9naW4uUmVkaXJlY3RlFgJmD2QWBGYPZBYEAgoPFgIeBFRleHQFYjxtZXRhIG5hbWU9IkNvcHlyaWdodCIgY29udGVudD0iQ29weXJpZ2h0IChjKSAyMDAwLTIwMTIgR3JvdW5kc3BlYWssIEluYy4gQWxsIFJpZ2h0cyBSZXNlcnZlZC4iIC8%2BZAILDxYCHwEFRzwhLS0gQ29weXJpZ2h0IChjKSAyMDAwLTIwMTIgR3JvdW5kc3BlYWssIEluYy4gQWxsIFJpZ2h0cyBSZXNlcnZlZC4gLS0%2BZAIBD2QWCAIKDxYCHgdWaXNpYmxlZ2QCKg8PZBYCHgVjbGFzcwUHc3Bhbi0yMGQCKw8WAh8DBQtzcGFuLTQgbGFzdBYCAgEPZBYCAgEPDxYCHwEFggQ8aWZyYW1lIHR5cGU9ImlmcmFtZSIgc3JjPSJodHRwczovL2Fkcy5ncm91bmRzcGVhay5jb20vYS5hc3B4P1pvbmVJRD05JlRhc2s9R2V0JlNpdGVJRD0xJlg9Jzc0NTg4NDJkZmIxZjQ1NGE5MGYwZmUyNGZmZTRlZTllJyIgd2lkdGg9IjEyMCIgaGVpZ2h0PSIyNDAiIE1hcmdpbndpZHRoPSIwIiBNYXJnaW5oZWlnaHQ9IjAiIEhzcGFjZT0iMCIgVnNwYWNlPSIwIiBGcmFtZWJvcmRlcj0iMCIgU2Nyb2xsaW5nPSJubyIgc3R5bGU9IndpZHRoOjEyMHB4O0hlaWdodDoyNDBweDsiPjxhIGhyZWY9Imh0dHBzOi8vYWRzLmdyb3VuZHNwZWFrLmNvbS9hLmFzcHg/Wm9uZUlEPTkmVGFzaz1DbGljayY7TW9kZT1IVE1MJlNpdGVJRD0xIiB0YXJnZXQ9Il9ibGFuayI%2BPGltZyBzcmM9Imh0dHBzOi8vYWRzLmdyb3VuZHNwZWFrLmNvbS9hLmFzcHg/Wm9uZUlEPTkmVGFzaz1HZXQmTW9kZT1IVE1MJlNpdGVJRD0xIiB3aWR0aD0iMTIwIiBoZWlnaHQ9IjI0MCIgYm9yZGVyPSIwIiBhbHQ9IiIgLz48L2E%2BPC9pZnJhbWU%2BZGQCLA9kFgQCAQ8WAh8BBQdFbmdsaXNoZAIDDxYCHgtfIUl0ZW1Db3VudAIPFh5mD2QWAgIBDw8WCB4PQ29tbWFuZEFyZ3VtZW50BQVlbi1VUx4LQ29tbWFuZE5hbWUFDVNldFRlbXBMb2NhbGUfAQUHRW5nbGlzaB4QQ2F1c2VzVmFsaWRhdGlvbmhkZAIBD2QWAgIBDw8WCB8FBQVkZS1ERR8GBQ1TZXRUZW1wTG9jYWxlHwEFB0RldXRzY2gfB2hkZAICD2QWAgIBDw8WCB8FBQVmci1GUh8GBQ1TZXRUZW1wTG9jYWxlHwEFCUZyYW7Dp2Fpcx8HaGRkAgMPZBYCAgEPDxYIHwUFBXB0LVBUHwYFDVNldFRlbXBMb2NhbGUfAQUKUG9ydHVndcOqcx8HaGRkAgQPZBYCAgEPDxYIHwUFBWNzLUNaHwYFDVNldFRlbXBMb2NhbGUfAQUJxIxlxaF0aW5hHwdoZGQCBQ9kFgICAQ8PFggfBQUFc3YtU0UfBgUNU2V0VGVtcExvY2FsZR8BBQdTdmVuc2thHwdoZGQCBg9kFgICAQ8PFggfBQUFbmwtTkwfBgUNU2V0VGVtcExvY2FsZR8BBQpOZWRlcmxhbmRzHwdoZGQCBw9kFgICAQ8PFggfBQUFY2EtRVMfBgUNU2V0VGVtcExvY2FsZR8BBQdDYXRhbMOgHwdoZGQCCA9kFgICAQ8PFggfBQUFcGwtUEwfBgUNU2V0VGVtcExvY2FsZR8BBQZQb2xza2kfB2hkZAIJD2QWAgIBDw8WCB8FBQVldC1FRR8GBQ1TZXRUZW1wTG9jYWxlHwEFBUVlc3RpHwdoZGQCCg9kFgICAQ8PFggfBQUFbmItTk8fBgUNU2V0VGVtcExvY2FsZR8BBQ5Ob3JzaywgQm9rbcOlbB8HaGRkAgsPZBYCAgEPDxYIHwUFBWtvLUtSHwYFDVNldFRlbXBMb2NhbGUfAQUJ7ZWc6rWt7Ja0HwdoZGQCDA9kFgICAQ8PFggfBQUFZXMtRVMfBgUNU2V0VGVtcExvY2FsZR8BBQhFc3Bhw7FvbB8HaGRkAg0PZBYCAgEPDxYIHwUFBWh1LUhVHwYFDVNldFRlbXBMb2NhbGUfAQUGTWFneWFyHwdoZGQCDg9kFgICAQ8PFggfBQUFcm8tUk8fBgUNU2V0VGVtcExvY2FsZR8BBQhSb23Dom7Egx8HaGRkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBR5jdGwwMCRDb250ZW50Qm9keSRjYlJlbWVtYmVyTWUGzXazrzLQi84q6aT2dompupv8rw==' -L 'https://www.geocaching.com/login/default.aspx' -v

Without an additional --sslv3 the output is

* About to connect() to www.geocaching.com port 443 (#0)
* Trying 66.150.167.189... connected
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SS...

I have got another curl example for reproduction of the bug. It only fails if curl is provided with a cookies file, which I can only provide on request (want to keep it private as possible). This example did work well in Natty (no idea about Oneiric)

The line is (no, you can not remove the long data part):

/usr/bin/curl -b/home/stefan/.geocookies -c/home/stefan/.geocookies -d'__VIEWSTATE=/wEPDwUKLTIxMjA4MDI5OA8WAh4OTG9naW4uUmVkaXJlY3RlFgJmD2QWBGYPZBYEAgoPFgIeBFRleHQFYjxtZXRhIG5hbWU9IkNvcHlyaWdodCIgY29udGVudD0iQ29weXJpZ2h0IChjKSAyMDAwLTIwMTIgR3JvdW5kc3BlYWssIEluYy4gQWxsIFJpZ2h0cyBSZXNlcnZlZC4iIC8%2BZAILDxYCHwEFRzwhLS0gQ29weXJpZ2h0IChjKSAyMDAwLTIwMTIgR3JvdW5kc3BlYWssIEluYy4gQWxsIFJpZ2h0cyBSZXNlcnZlZC4gLS0%2BZAIBD2QWCAIKDxYCHgdWaXNpYmxlZ2QCKg8PZBYCHgVjbGFzcwUHc3Bhbi0yMGQCKw8WAh8DBQtzcGFuLTQgbGFzdBYCAgEPZBYCAgEPDxYCHwEFggQ8aWZyYW1lIHR5cGU9ImlmcmFtZSIgc3JjPSJodHRwczovL2Fkcy5ncm91bmRzcGVhay5jb20vYS5hc3B4P1pvbmVJRD05JlRhc2s9R2V0JlNpdGVJRD0xJlg9Jzc0NTg4NDJkZmIxZjQ1NGE5MGYwZmUyNGZmZTRlZTllJyIgd2lkdGg9IjEyMCIgaGVpZ2h0PSIyNDAiIE1hcmdpbndpZHRoPSIwIiBNYXJnaW5oZWlnaHQ9IjAiIEhzcGFjZT0iMCIgVnNwYWNlPSIwIiBGcmFtZWJvcmRlcj0iMCIgU2Nyb2xsaW5nPSJubyIgc3R5bGU9IndpZHRoOjEyMHB4O0hlaWdodDoyNDBweDsiPjxhIGhyZWY9Imh0dHBzOi8vYWRzLmdyb3VuZHNwZWFrLmNvbS9hLmFzcHg/Wm9uZUlEPTkmVGFzaz1DbGljayY7TW9kZT1IVE1MJlNpdGVJRD0xIiB0YXJnZXQ9Il9ibGFuayI%2BPGltZyBzcmM9Imh0dHBzOi8vYWRzLmdyb3VuZHNwZWFrLmNvbS9hLmFzcHg/Wm9uZUlEPTkmVGFzaz1HZXQmTW9kZT1IVE1MJlNpdGVJRD0xIiB3aWR0aD0iMTIwIiBoZWlnaHQ9IjI0MCIgYm9yZGVyPSIwIiBhbHQ9IiIgLz48L2E%2BPC9pZnJhbWU%2BZGQCLA9kFgQCAQ8WAh8BBQdFbmdsaXNoZAIDDxYCHgtfIUl0ZW1Db3VudAIPFh5mD2QWAgIBDw8WCB4PQ29tbWFuZEFyZ3VtZW50BQVlbi1VUx4LQ29tbWFuZE5hbWUFDVNldFRlbXBMb2NhbGUfAQUHRW5nbGlzaB4QQ2F1c2VzVmFsaWRhdGlvbmhkZAIBD2QWAgIBDw8WCB8FBQVkZS1ERR8GBQ1TZXRUZW1wTG9jYWxlHwEFB0RldXRzY2gfB2hkZAICD2QWAgIBDw8WCB8FBQVmci1GUh8GBQ1TZXRUZW1wTG9jYWxlHwEFCUZyYW7Dp2Fpcx8HaGRkAgMPZBYCAgEPDxYIHwUFBXB0LVBUHwYFDVNldFRlbXBMb2NhbGUfAQUKUG9ydHVndcOqcx8HaGRkAgQPZBYCAgEPDxYIHwUFBWNzLUNaHwYFDVNldFRlbXBMb2NhbGUfAQUJxIxlxaF0aW5hHwdoZGQCBQ9kFgICAQ8PFggfBQUFc3YtU0UfBgUNU2V0VGVtcExvY2FsZR8BBQdTdmVuc2thHwdoZGQCBg9kFgICAQ8PFggfBQUFbmwtTkwfBgUNU2V0VGVtcExvY2FsZR8BBQpOZWRlcmxhbmRzHwdoZGQCBw9kFgICAQ8PFggfBQUFY2EtRVMfBgUNU2V0VGVtcExvY2FsZR8BBQdDYXRhbMOgHwdoZGQCCA9kFgICAQ8PFggfBQUFcGwtUEwfBgUNU2V0VGVtcExvY2FsZR8BBQZQb2xza2kfB2hkZAIJD2QWAgIBDw8WCB8FBQVldC1FRR8GBQ1TZXRUZW1wTG9jYWxlHwEFBUVlc3RpHwdoZGQCCg9kFgICAQ8PFggfBQUFbmItTk8fBgUNU2V0VGVtcExvY2FsZR8BBQ5Ob3JzaywgQm9rbcOlbB8HaGRkAgsPZBYCAgEPDxYIHwUFBWtvLUtSHwYFDVNldFRlbXBMb2NhbGUfAQUJ7ZWc6rWt7Ja0HwdoZGQCDA9kFgICAQ8PFggfBQUFZXMtRVMfBgUNU2V0VGVtcExvY2FsZR8BBQhFc3Bhw7FvbB8HaGRkAg0PZBYCAgEPDxYIHwUFBWh1LUhVHwYFDVNldFRlbXBMb2NhbGUfAQUGTWFneWFyHwdoZGQCDg9kFgICAQ8PFggfBQUFcm8tUk8fBgUNU2V0VGVtcExvY2FsZR8BBQhSb23Dom7Egx8HaGRkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBR5jdGwwMCRDb250ZW50Qm9keSRjYlJlbWVtYmVyTWUGzXazrzLQi84q6aT2dompupv8rw=='  -L 'https://www.geocaching.com/login/default.aspx' -v

Without an additional --sslv3 the output is

* About to connect() to www.geocaching.com port 443 (#0)
*   Trying 66.150.167.189... connected
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using RC4-SHA
* Server certificate:
* 	 subject: O=www.geocaching.com; OU=Go to https://www.thawte.com/repository/index.html; OU=Thawte SSL123 certificate; OU=Domain Validated; CN=www.geocaching.com
* 	 start date: 2010-06-02 00:00:00 GMT
* 	 expire date: 2012-06-15 23:59:59 GMT
* 	 common name: www.geocaching.com (matched)
* 	 issuer: C=ZA; ST=Western Cape; L=Cape Town; O=Thawte Consulting cc; OU=Certification Services Division; CN=Thawte Server CA; emailAddress=server-certs@thawte.com
* 	 SSL certificate verify ok.
> POST /login/default.aspx HTTP/1.1
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.0g zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Host: www.geocaching.com
> Accept: */*
> Cookie: ASP.NET_SessionId=v3crkvc0a4nkwz3hymjokqri
> Content-Length: 2482
> Content-Type: application/x-www-form-urlencoded
> Expect: 100-continue
> 
< HTTP/1.1 100 Continue
< HTTP/1.1 302 Found
< Cache-Control: no-cache
< Pragma: no-cache,no-cache
< Content-Length: 136
< Content-Type: text/html; charset=utf-8
< Expires: -1
< Location: /login/default.aspx
< Server: Microsoft-IIS/7.5
< X-AspNet-Version: 4.0.30319
< Date: Wed, 14 Mar 2012 07:46:41 GMT
* HTTP error before end of send, stop sending
< 
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
* Issue another request to this URL: 'https://www.geocaching.com/login/default.aspx'
* Violate RFC 2616/10.3.3 and switch from POST to GET
* About to connect() to www.geocaching.com port 443 (#0)
*   Trying 66.150.167.189... connected
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSL re-using session ID
* SSLv3, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to www.geocaching.com:443 
* Closing connection #0

Then, curl seems to wait for some 30sec and then exit with

curl: (35) Unknown SSL protocol error in connection to www.geocaching.com:443

Revision history for this message

chrone (chrone81) wrote on 2012-05-01:

#9

i just noted on ubuntu 12.04 server edition x64 that if i use only rc4 chiper on apache mod ssl, the curl could not fect the https://. but if i enabled higher chiper such as camelia or aes, the curl https:// command is running fine.

i don't know on which package this bug is. is it from curl, php5-curl, apache, or openssl.

Revision history for this message

Rex Tsai (chihchun) wrote on 2012-10-15:

#10

This issue has been fixed in precise.

ca-certificates 20111211
coreutils 8.13-3ubuntu3.1
debconf 1.5.42ubuntu1
dpkg 1.16.1.2ubuntu7
gcc-4.6-base 4.6.3-1ubuntu5
libacl1 2.2.51-5ubuntu1
libasn1-8-heimdal 1.6~git20120311.dfsg.1-2
libattr1 1:2.4.46-5ubuntu1
libbz2-1.0 1.0.6-1
libc-bin 2.15-0ubuntu10.3
libc6 2.15-0ubuntu10.3
libcomerr2 1.42-1ubuntu2
libcurl3 7.22.0-3ubuntu4
libdb5.1 5.1.25-11build1
libgcc1 1:4.6.3-1ubuntu5
libgcrypt11 1.5.0-3ubuntu0.1
libgnutls26 2.12.14-5ubuntu3.1
libgpg-error0 1.10-2ubuntu1
libgssapi-krb5-2 1.10+dfsg~beta1-2ubuntu0.3
libgssapi3-heimdal 1.6~git20120311.dfsg.1-2
libhcrypto4-heimdal 1.6~git20120311.dfsg.1-2
libheimbase1-heimdal 1.6~git20120311.dfsg.1-2
libheimntlm0-heimdal 1.6~git20120311.dfsg.1-2
libhx509-5-heimdal 1.6~git20120311.dfsg.1-2
libidn11 1.23-2
libk5crypto3 1.10+dfsg~beta1-2ubuntu0.3
libkeyutils1 1.5.2-2
libkrb5-26-heimdal 1.6~git20120311.dfsg.1-2
libkrb5-3 1.10+dfsg~beta1-2ubuntu0.3
libkrb5support0 1.10+dfsg~beta1-2ubuntu0.3
libldap-2.4-2 2.4.28-1.1ubuntu4.1
liblzma5 5.1.1alpha+20110809-3
libp11-kit0 0.12-2ubuntu1
libroken18-heimdal 1.6~git20120311.dfsg.1-2
librtmp0 2.4~20110711.gitc28f1bab-1
libsasl2-2 2.1.25.dfsg1-3ubuntu0.1
libselinux1 2.1.0-4.1ubuntu1
libsqlite3-0 3.7.9-2ubuntu1.1
libssl1.0.0 1.0.1-4ubuntu5.5
libtasn1-3 2.10-1ubuntu1.1
libwind0-heimdal 1.6~git20120311.dfsg.1-2
multiarch-support 2.15-0ubuntu10.3
openssl 1.0.1-4ubuntu5.5
perl-base 5.14.2-6ubuntu2.1
tar 1.26-4ubuntu1
tzdata 2012e-0ubuntu0.12.04.1
xz-utils 5.1.1alpha+20110809-3
zlib1g 1:1.2.3.4.dfsg-3ubuntu4

Revision history for this message

Adrien Nader (adrien) wrote on 2023-05-11:

#11

I'm going to mark this as Fix Released due to the message above even though I wasn't able to try to reproduce today (due to so many things having changed since 2012).

Changed in openssl (Ubuntu):
status:	Confirmed → Fix Released

Affects		Status	Importance	Assigned to	Milestone
	curl (Ubuntu)	Incomplete	Undecided	Unassigned
	openssl (Ubuntu)	Fix Released	Undecided	Unassigned

Ubuntu
curl package

Curl (openssl) fails to open some https URLs with "illegal parameter" error

Bug Description

Other bug subscribers

Remote bug watches

Ubuntucurl package

Curl (openssl) fails to open some https URLs with "illegal parameter" error

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
curl package