2

TL;DR I'm trying to reach an URI which only takes SSLv3. If I try to access it with curl or Python requests (which uses the ssl module) it doesn't work (different errors).

Some longer explanation

There's this API who has this URI: https://api.mercadolibre.com/sites/MLA/search?q=ipod

  1. If I try to access that URI with the browser, it works fine (Chrome and FF).

  2. If I try to curl it: curl -Iv https://api.mercadolibre.com/sites/MLA/search?q=ipod it doesn't work. The error returned is:

    curl: (35) Unknown SSL protocol error in connection to api.mercadolibre.com:443

  3. Forcing curl to use SSLv3 works fine:

    curl --sslv3 -Iv https://api.mercadolibre.com/sites/MLA/search?q=ipod

  4. openssl s_client -connect api.mercadolibre.com:443

    answers with:

    CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 305 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

How can it be possible that the browser is connecting Ok and curl and Python are not? How should I fix this? Is this even my problem (or the owner of the API)?

Info about my system

  • Ubuntu 14.04
  • OpenSSL 1.0.1f 6 Jan 2014
Jawa
  • 305
  • 7
  • 17
santiago.basulto
  • 598
  • 2
  • 8
  • 16
  • 2
    [That site's SSL setup is horribly broken.](https://www.ssllabs.com/ssltest/analyze.html?d=api.mercadolibre.com&hideResults=on) They need to fix it as soon as possible. – Michael Hampton Aug 26 '14 at 20:08
  • Well. That's a relief. But, does it has anything to do with my issue? – santiago.basulto Aug 26 '14 at 20:12
  • Most likely. As you can see, many _browsers_ would be unable to connect to it at all. The same is true of non-browser user agents such as curl. Not to mention the encryption is so weak that my sister could break it. – Michael Hampton Aug 26 '14 at 20:13
  • Reading the "Handshake Simulation" section on that report seems like "OpenSSL 1.0.1h" fails with "Protocol or cipher suite mismatch". – santiago.basulto Aug 26 '14 at 20:13
  • Yeah. Thank you very much Michael. I know someone there, I'll ping them. Do you want to create an answer for posterity? – santiago.basulto Aug 26 '14 at 20:14

1 Answers1

1

At the time this question was asked, the site in question supported only a small selection of very weak cipher suites and had very little compatibility with modern user agents. Thus it was impossible for most browsers or even robots to negotiate a connection, let alone a secure one.

The site has been (mostly) fixed since; while it still has weak cipher suites and other problems, it should at least be functional.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972