4

I don't know what is exactly going on but I noticed that curl couldn't get secure pages without adding extra switches.

~# curl -v https://api.dreamhost.com
* About to connect() to api.dreamhost.com port 443 (#0)
*   Trying 75.119.208.14...
* connected
* Connected to api.dreamhost.com (75.119.208.14) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
(hangs for a minute)
* Unknown SSL protocol error in connection to api.dreamhost.com:443
* Closing connection #0
curl: (35) Unknown SSL protocol error in connection to api.dreamhost.com:443

Now, when I add -1 (force tlsv1) or -3 (force sslv3) curl works flawlessly. The problem is that other programs seem to have similar issues, like python scripts.

When I try openssl it hangs like curl

openssl s_client  -connect api.dreamhost.com:443
CONNECTED(00000003)
(HANGS)

write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 320 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

The same happens if I use -tls1_2, but it works If I use -ssl3 switch

Additional Data:

OpenSSL> version
OpenSSL 1.0.1e 11 Feb 2013

Does anybody know how to fix this and make curl or openssl work with default settings? I have another machine with Debian lenny that can run both commands flawlessly without any switch.

Thanks!

-Rodrigo

Rodrigo
  • 267
  • 3
  • 12
  • I have the same result as you with `curl`, `wget` works here though, what do you get with `wget`? – EightBitTony Jul 07 '13 at 08:16
  • @EightBitTony wget seems to work well, but also I discovered that other hosts work. curl https://graph.facebook.com works well without any switched but curl to https://api.dreamhost.com will only work if I use curl -1 or -3 – Rodrigo Jul 07 '13 at 17:53
  • I wonder if it's something in the auto-detection of which SSL version to use that wget gets right and curl gets wrong? Anyway, out of my league, good luck! – EightBitTony Jul 07 '13 at 19:33
  • Same problem same site, I wonder if Dreamhost is aware – MattPark Dec 29 '14 at 19:08

3 Answers3

2

If you run this site against SSLLabs test, you'll see it's intolerant to long handshakes, a problem that certainly affects your version of OpenSSL.

Reducing the cipher list size should help, for example:

openssl s_client -cipher RSA -connect api.dreamhost.com:443

(You can use the --ciphers option for curl.)

Bruno
  • 4,099
  • 1
  • 21
  • 37
1

So I went ahead and filed a ticket with Dreamhost (Based on the analysis of @Bruno above) because I was having the same issue. It took a few weeks but they actually fixed it. Any other company they probably would have just put me in tech support hell.

MattPark
  • 303
  • 5
  • 20
0

Make sure you have the ca-certificates package installed properly. If it is installed, you may have accidentally deleted its files and need to reinstall it.

sudo apt-get install --reinstall ca-certificates
Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • Still the same :/ keeps working when I use -1/-3 switch on curl, or -ssl3 switch for openssl command. – Rodrigo Jul 07 '13 at 05:27
  • The CA certificates are only used to verify the remote certificate. Unfortunately, there's no remote certificate presented here at all, so that wouldn't help ("*no peer certificate available*"). – Bruno Jul 09 '13 at 14:16