curl error 35 : unknown SSL protocol error in connection

Question

$ curl -I https://9.185.173.135
curl: (35) Unknown SSL protocol error in connection to 9.185.173.135:443

This is an secured page that I need to access. But I don't know how to obtain its certificate file. I tried to use Firefox, but it says couldn't get any ssl certificate once the url is entered.

$ curl -I http://9.185.173.135
HTTP/1.1 200 OK
Content-Length: 686
Content-Type: text/html
Content-Location: http://9.185.173.135/Default.htm
Last-Modified: Mon, 16 Mar 2009 05:05:38 GMT
Accept-Ranges: bytes
ETag: "a851dbd8f4a5c91:d41"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 13 Jul 2010 04:09:35 GMT

The server is definitely reachable from my laptop. Once I get the certificate file, I assume I can then import it to Firefox and then use my credentials to pass the authentication (I already got the username/password).

Sorry I am no expert in security at all. Is there anything else I can try?

Many thanks in advance.

Can you establish a connection to the server with `openssl s_client -host 9.185.173.135 -p 443`? — Rudi, Jul 13 '10 at 12:12
@ Rudi: Thanks for the hint, please see my answer for the update :) — Michael Mao, Jul 13 '10 at 22:44
my open_ssl wants me to do -connect : instead of -host -p - probably changed in newer version. — froderik, Sep 20 '12 at 11:25
The server might be using SSL2 or SSL3... Those protocal are deprecated now. — Lorinczy Zsigmond, Jun 05 '20 at 15:34

score 5 · Answer 1 · edited Nov 19 '19 at 08:16

5

try this

curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_SSLv3); // Force SSLv3 to fix Unknown SSL Protocol error

edited Nov 19 '19 at 08:16

D.Go

171
9

answered Jun 05 '13 at 11:44

Asif

258
1
6
19

But this will not work on SPDY. There you have to use [`spdycat`](https://github.com/tatsuhiro-t/spdylay). I am not the author but it's an open-source project. – Ján Sáreník Sep 01 '15 at 21:28
1

FYI: we had this and it didn't work. From another answer we found: `curl_setopt($ch, CURLOPT_SSLVERSION, 4);` which worked. (Version 4, not 3). – William Joss Crowcroft Sep 27 '16 at 15:02
There are security risks with this approach. See the PHP docs. http://php.net/manual/en/function.curl-setopt.php – Goose Nov 01 '16 at 18:03
1

Please do not use arbitrary numbers for something that is supposed to receive a descriptive enum. @WilliamJossCrowcroft for example, incorrectly refers to 4 as "version 4" (likely this is CURL_SSLVERSION_TLSv1_0). The correct value is CURL_SSLVERSION_SSLv3. – D.Go Nov 19 '19 at 02:16

score 2 · Accepted Answer · answered Jul 13 '10 at 22:43

To Rudi : Thanks for the hint, that tells me a hell lot of info.

Somehow the admin of the secured page "refreshes" the state of certifications every day. So although I got blocked from accessing it yesterday, it generously lets me to grab another certificate and add it to the exception list of Firefox.

So everything is working, and I really learn something from yesterday's experience.

score 1 · Answer 3 · edited Jul 16 '19 at 06:26

1

You can use --tlsv1 option to solve the issue in case the curl version is below 7.34

 curl -I --tlsv1 https://9.185.173.135

edited Jul 16 '19 at 06:26

Adrita Sharma

21,581
10
69
79

answered Jul 16 '19 at 06:21

khan

21
1

Use newer curl version and it works. – Ivan Chau Jan 17 '23 at 09:55

score 1 · Answer 4 · edited Jun 06 '20 at 12:48

1

In my case on a AIX VM also this problem, use --cacert to specific a cacert.pem

curl --cacert /var/ssl/cacert.pem https://localhost:3000

edited Jun 06 '20 at 12:48

edbighead

5,607
5
29
35

answered Jun 05 '20 at 08:01

Peter Shen

21
4

Works also on a classic environment (Windows 10 / Apache). You saved me hours of research! – Pierre Le Bot Feb 17 '21 at 18:00

Areeb Soo Yasir · Answer 5 · 2018-03-26T05:40:22.800

I had the same error after updating my SSL certificate on the target SSL site. My source OS was Centos 6 and updating to a new curl version solved it. *Note I was already using the curl -k (insecure option) but I would still get that error. Essentially this error is caused by nss or openssl being out of date. yum -y install curl nss openssl Remember if you have a web application like PHP calling curl you will need to restart Apache to make the update take effect.

I've updated based on this guide: http://realtechtalk.com/curl_35_Unknown_SSL_protocol_error_in_connection_Solution_Centos-1988-articles

score 0 · Answer 6 · answered Aug 17 '16 at 20:22

I got the same error when running curl/httpie against a Tomcat server on my localhost deployed from Eclipse. It turns out that default server.xml deployed by Eclipse disables https. Specifically, the section below is commented out in server.xml.

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS" />

After uncommenting it out and adding the two keystore parameters, the curl command starts working (with --insecure option if the certificate is self-signed).

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS" />
           keystoreFile="/path/to/your/keystore"
           keystorePass="yourpass" />

score 0 · Answer 7 · answered Oct 19 '17 at 08:06

0

i have some solutions that fix the issue for me:

1] try update your curl/php/apache [ yum update ]

2] restart apache

Those worked for me!

answered Oct 19 '17 at 08:06

mr.baby123

2,208
23
12

score 0 · Answer 8 · answered Oct 04 '18 at 06:04

I had a similar issue:

 curl https://localhost:3000
 ...
 curl: (35) Unknown SSL protocol error in connection to localhost:-9847

(not sure where that number -9847came from since I requested port 3000)

fix: turns out my server on port 3000 was running "http" not "https" go figure.

curl error 35 : unknown SSL protocol error in connection

8 Answers8

Linked

Related