I am encountering curl-7.44.0+openssl-1.0.2d (FIPS-capable) TLS session-initialization failures like ... * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol on only ONE (HOSTX) of two 2008 R2 IIS 7.5 HTTPS servers (HOSTX, ROOM40) which are supposed to be configured the same. I am using OpenSSL 1.0.2d-fips 9 Jul 2015 curl 7.44.0 (i386-pc-win32) libcurl/7.44.0 OpenSSL/1.0.2d Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s rtsp smb smbs smtp smtps telnet tftp Features: AsynchDNS Largefile NTLM SSL ROOM40 and HOSTX servers run IIS 7.5 or IIS 8.0, and, the values of the keys (SSL 2.0 - TLS 1.2, Client and Server) in the registry branch HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols are the same (see following). All the OTHER ..\Protocols keys - Ciphers, CipherSuites, Hashes, and KeyExchangeAlgorithms - are the same (all blank). SSL 2.0 Client "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 Server <empty> SSL 3.0 Client "Enabled"=dword:00000000 Server "Enabled"=dword:00000000 TLS 1.0 (Does not exist on HOSTX) Client <empty> Server <empty> TLS 1.1 Client "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001 Server "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001 TLS 1.2 Client "Enabled"=dword:00000001 Server "Enabled"=dword:00000001 I've researched "TLS version intolerance", SNI, ALPN and more, but, haven't figured this out yet. Following are four curl-7.44.0+openssl-1.0.2d (FIPS- capable) attempts to "upload" a file. The 1st attempt to server ROOM40 succeeds, but the subsequent three attempts to server HOSTX all fail. Any hints or insights are very much appreciated ... Note: The following output has been been edited to enhance readability and disguise client and servers. =============================================================================== ==> openssl version OpenSSL 1.0.2d-fips 9 Jul 2015 ==> curl --version curl 7.44.0 (i386-pc-win32) libcurl/7.44.0 OpenSSL/1.0.2d Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s rtsp smb smbs smtp smtps telnet tftp Features: AsynchDNS Largefile NTLM SSL ==> REM ----------------------------------------------------------------------- ==> REM ATTEMPT TO UPLOAD TO ROOM40 (Successful) ==> REM ----------------------------------------------------------------------- ==> %CD%\curl.exe --verbose -T "stuff.dat" --tlsv1.2 --ciphers AES128-SHA256:AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DES-CBC3-SHA --capath ..\certs --user matahari:18761917 https://ROOM40/datasink/ * Trying 10.11.51.37... * Connected to ROOM40 (10.11. 51.37) port 443 (#0) * ALPN, offering http/1.1 * Cipher selection: AES128-SHA256:AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DES-CBC3-SHA * successfully set certificate verify locations: * CAfile: none CApath: ..\certs * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Client hello (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Client hello (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-SHA256 * ALPN, server did not agree to a protocol * Server certificate: * subject: C=US; ST=CA; L=Los Angeles; O=CID; OU=LA DEV; CN=ROOM40 * start date: 2014-05-01 15:44:59 GMT * expire date: 2018-02-05 22:10:46 GMT * common name: ROOM40 (matched) * issuer: CN=DISRAELI * SSL certificate verify ok. * Server auth using Basic with user 'matahari' > PUT /datasink/stuff.dat HTTP/1.1 > Host: ROOM40 > Authorization: Basic ZnRwd2FsbDoxMzRGa3JlVDk1andfMlE= > User-Agent: curl/7.44.0 > Accept: */* > Content-Length: 161 > Expect: 100-continue > < HTTP/1.1 100 Continue * We are completely uploaded and fine < HTTP/1.1 201 Created < Location: http://ROOM40/datasink/stuff.dat < Server: Microsoft-IIS/7.5 < X-Powered-By: ASP.NET < Date: Thu, 04 Aug 2016 01:31:09 GMT < Content-Length: 0 < * Connection #0 to host ROOM40 left intact ==> REM ----------------------------------------------------------------------- ==> REM ATTEMPT #1 TO UPLOAD TO HOSTX (Fails) ==> REM ----------------------------------------------------------------------- ==> %CD%\curl.exe --verbose -T "stuff.dat" --tlsv1.2 --ciphers AES128-SHA256:AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DES-CBC3-SHA --capath ..\certs --user TELawrence:18881935 https://hostx.area51.gov/upload/ * Trying 211.3.150.21... * Connected to hostx.area51.gov (211.3.150.21) port 443 (#0) * ALPN, offering http/1.1 * Cipher selection: AES128-SHA256:AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DES-CBC3-SHA * successfully set certificate verify locations: * CAfile: none CApath: ..\certs * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol * Closing connection 0 curl: (35) error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol ==> REM ----------------------------------------------------------------------- ==> REM ATTEMPT #2 TO UPLOAD TO HOSTX (Fails) ==> REM ----------------------------------------------------------------------- ==> %CD%\curl.exe --verbose -T "stuff.dat" --tlsv1.2 --ciphers AES128-SHA256:AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256 --capath ..\certs --user TELawrence:18881935 https://hostx.area51.gov/upload/ * Trying 211.3.150.21... * Connected to hostx.area51.gov (211.3.150.21) port 443 (#0) * ALPN, offering http/1.1 * Cipher selection: AES128-SHA256:AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256 * successfully set certificate verify locations: * CAfile: none CApath: ..\certs * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * Unknown SSL protocol error in connection to hostx.area51.gov:443 * Closing connection 0 curl: (35) Unknown SSL protocol error in connection to hostx.area51.gov:443 ==> REM ----------------------------------------------------------------------- ==> REM ATTEMPT #3 TO UPLOAD TO HOSTX (Fails) ==> REM ----------------------------------------------------------------------- ==> %CD%\curl.exe --verbose -T "stuff.dat" --tlsv1.2 --capath ..\certs --user TELawrence:18881935 https://hostx.area51.gov/upload/ * Trying 211.3.150.21... * Connected to hostx.area51.gov (211.3.150.21) port 443 (#0) * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: none CApath: ..\certs * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol * Closing connection 0 curl: (35) error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160805/a4d80129/attachment-0001.html>