« Is no one safe from SpringSource? | Main | JBoss Takes on SpringSource with Open Choice Trio »

03/18/2010

3 Common Causes of Unknown SSL Protocol Errors with cURL

I see a lot of people hitting this site looking for reasons as to why curl is logging the following message when an SSL connection is attempted:

curl: (35) Unknown SSL protocol error in connection to ${some_server}

So, I thought it would be helpful to publish my 3 most common reasons why I've experienced this error during my web mastering career. It should not serve as an end-all list but it should provide some quick pointers.

  1. The Destination Site Does Not Like the Protocol

    Let's take my Techstacks Tools site as an example. Firing off a request like the following, results in the Unknown SSL Protocol error:

    curl --sslv2 https://techstacks-tools.appspot.com/

    Why? Well, in this case it is because the techstacks tools site does not support SSLv2, thus, generating the curl (35) error.

  2. The Destination Site Does Not Like the Cipher

    You could be trying to connect to the site using an ssl cipher that the site is configured to reject. For example, anonymous ciphers are typically disabled on ssl-encrypted sites that are customer-facing. (Many of us set a blanket rejection policy on any SSL-encrypted web site—regardless of it's purpose.) The following command string "can" also result in the curl (35) error:

    curl --ciphers ADH-RC4-MD5 https://some_web_site.some_domain.com/

    Unfortunately, the type of error response you can get from curl depends largely upon the ssl server. On some sites, you'll receive the Unknown SSL Protocol error but on my techstacks-tools site, I get:

    curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

    Kudos to Google because this particular error is a bit more descriptive than the one my websites at work generate because this at least tells you that a ssl socket was started but because of handshake failures, the socket was never able to complete.

    Try connecting to the site with a cipher that the site supports. Not sure which cipher to use?   Well, let me introduce my cryptonark ssl cipher tester...

  3. The SSL Private Key Has Expired

    I came across this one earlier today working with an old WebSeAL site. In IBM GSKit, you can specify how long the private key password is valid. After reaching a certain date, you will still be able to get webseal started and listening on port 443 (or whatever you set your https-port value to) but you will not be able to successfully negotiate an SSL session. In today's case, the old WebSEAL instance was using long-expired kdb file with a long expired private key password. Once replaced with the correct, more-up-to-date version, everything worked again.

UPDATE (March 15, 2012): Since publishing this post two years ago, I have learned that you can see unknown protocol errors for another somewhat common reason. Some ISP's and DNS providers like to intercept your failed DNS queries in order to redirect you to a search engine results-style page offering you alternative URLs or "Did you mean...?" counter-query results. If you see an error like this: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol, it could be due to you typing the hostname incorrectly or the hostname is not yet tabled in your DNS. You can verify that with a simple "host" or "nslookup".

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01156fbc6fe6970c01310fb8753f970c

Listed below are links to weblogs that reference 3 Common Causes of Unknown SSL Protocol Errors with cURL:

Comments