--- Reformatted and resent ---
I am encountering curl-7.44.0+openssl-1.0.2d (FIPS-capable) TLS session-initialization failures like ...
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol
on only ONE (HOSTX) of two 2008 R2 IIS 7.5 HTTPS servers (HOSTX, ROOM40) which are supposed to be configured the same.
I am using
OpenSSL 1.0.2d-fips 9 Jul 2015
curl 7.44.0 (i386-pc-win32) libcurl/7.44.0 OpenSSL/1.0.2d
Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s
rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS Largefile NTLM SSL
ROOM40 and HOSTX servers run IIS 7.5 or IIS 8.0, and, the values of the keys (SSL 2.0 - TLS 1.2, Client and Server) in the registry branch
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
are the same (see following). All the OTHER ..\Protocols keys - Ciphers, CipherSuites, Hashes, and KeyExchangeAlgorithms - are the same (all blank).
SSL 2.0
Client
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
Server
<empty>
SSL 3.0
Client
"Enabled"=dword:00000000
Server
"Enabled"=dword:00000000
TLS 1.0 (Does not exist on HOSTX)
Client
<empty>
Server
<empty>
TLS 1.1
Client
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
Server
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
TLS 1.2
Client
"Enabled"=dword:00000001
Server
"Enabled"=dword:00000001
I've researched "TLS version intolerance", SNI, ALPN and more, but, haven't figured this out yet.
Following are four curl-7.44.0+openssl-1.0.2d (FIPS- capable) attempts to "upload" a file. The 1st attempt to server ROOM40 succeeds, but the subsequent three attempts to server HOSTX all fail.
Any hints or insights are very much appreciated ...
Note: The following output has been been edited to enhance readability and disguise client and servers.
===============================================================================
==> openssl version
OpenSSL 1.0.2d-fips 9 Jul 2015
==> curl --version
curl 7.44.0 (i386-pc-win32) libcurl/7.44.0 OpenSSL/1.0.2d
Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s
rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS Largefile NTLM SSL
==> REM -----------------------------------------------------------------------
==> REM ATTEMPT TO UPLOAD TO ROOM40 (Successful)
==> REM -----------------------------------------------------------------------
==> %CD%\curl.exe
--verbose -T "stuff.dat"
--tlsv1.2
--ciphers AES128-SHA256:AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DES-CBC3-SHA
--capath ..\certs
--user matahari:18761917 https://ROOM40/datasink/
* Trying 10.11.51.37...
* Connected to ROOM40 (10.11. 51.37) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: AES128-SHA256:AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DES-CBC3-SHA
* successfully set certificate verify locations:
* CAfile: none
CApath: ..\certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=US; ST=CA; L=Los Angeles; O=CID; OU=LA DEV; CN=ROOM40
* start date: 2014-05-01 15:44:59 GMT
* expire date: 2018-02-05 22:10:46 GMT
* common name: ROOM40 (matched)
* issuer: CN=DISRAELI
* SSL certificate verify ok.
* Server auth using Basic with user 'matahari'
> PUT /datasink/stuff.dat HTTP/1.1
> Host: ROOM40
> Authorization: Basic ZnRwd2FsbDoxMzRGa3JlVDk1andfMlE=
> User-Agent: curl/7.44.0
> Accept: */*
> Content-Length: 161
> Expect: 100-continue
>
< HTTP/1.1 100 Continue
* We are completely uploaded and fine
< HTTP/1.1 201 Created
< Location: http://ROOM40/datasink/stuff.dat
< Server: Microsoft-IIS/7.5
< X-Powered-By: ASP.NET
< Date: Thu, 04 Aug 2016 01:31:09 GMT
< Content-Length: 0
<
* Connection #0 to host ROOM40 left intact
==> REM -----------------------------------------------------------------------
==> REM ATTEMPT #1 TO UPLOAD TO HOSTX (Fails)
==> REM -----------------------------------------------------------------------
==> %CD%\curl.exe
--verbose -T "stuff.dat"
--tlsv1.2
--ciphers AES128-SHA256:AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DES-CBC3-SHA
--capath ..\certs
--user TELawrence:18881935 https://hostx.area51.gov/upload/
* Trying 211.3.150.21...
* Connected to hostx.area51.gov (211.3.150.21) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: AES128-SHA256:AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DES-CBC3-SHA
* successfully set certificate verify locations:
* CAfile: none
CApath: ..\certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol
* Closing connection 0
curl: (35) error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol
==> REM -----------------------------------------------------------------------
==> REM ATTEMPT #2 TO UPLOAD TO HOSTX (Fails)
==> REM -----------------------------------------------------------------------
==> %CD%\curl.exe
--verbose -T "stuff.dat"
--tlsv1.2
--ciphers AES128-SHA256:AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
--capath ..\certs
--user TELawrence:18881935 https://hostx.area51.gov/upload/
* Trying 211.3.150.21...
* Connected to hostx.area51.gov (211.3.150.21) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: AES128-SHA256:AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
* successfully set certificate verify locations:
* CAfile: none
CApath: ..\certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to hostx.area51.gov:443
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to hostx.area51.gov:443
==> REM -----------------------------------------------------------------------
==> REM ATTEMPT #3 TO UPLOAD TO HOSTX (Fails)
==> REM -----------------------------------------------------------------------
==> %CD%\curl.exe
--verbose -T "stuff.dat"
--tlsv1.2
--capath ..\certs
--user TELawrence:18881935 https://hostx.area51.gov/upload/
* Trying 211.3.150.21...
* Connected to hostx.area51.gov (211.3.150.21) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: none
CApath: ..\certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol
* Closing connection 0
curl: (35) error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160806/6f982c5b/attachment.html>
