Home > Software design >  site works on chrome but not on curl
site works on chrome but not on curl

Time:04-16

The error is this:

* Connected to www.****.com (213.74.254.54) port 443 (#0)
* ALPN, offering http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (OUT), TLS header, Unknown (21):
* TLSv1.2 (OUT), TLS alert, handshake failure (552):
* error:0A000152:SSL routines::unsafe legacy renegotiation disabled
* Closing connection 0
curl: (35) error:0A000152:SSL routines::unsafe legacy renegotiation disabled

Same URL opens just fine on chrome. I tried to copy as curl from chrome and run using curl too, same error. So maybe somehow chrome is more slack on the SSL negotiation. How can I make curl behave the same?

curl version:

curl --version
curl 7.80.0 (x86_64-apple-darwin19.6.0) libcurl/7.80.0 OpenSSL/3.0.1 zlib/1.2.11 zstd/1.5.2 libidn2/2.3.2 libpsl/0.21.1 ( libidn2/2.3.2)
Release-Date: 2021-11-10
Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS HSTS HTTPS-proxy IDN IPv6 Largefile libz NTLM NTLM_WB PSL SSL TLS-SRP UnixSockets zstd

CodePudding user response:

Meta: this isn't really programming or development; I will delete if necessary but I think superuser would be suitable and have voted for that (but we'll see what others think). I can see equally good arguments for apple.SX or security.SX instead, but (AFAIK) those would require a mod.

While Steffen is correct the server is either badly out of date or misconfigured and should be fixed, OpenSSL below 3.0.0 (just last year) by default will connect to a non-RFC5746 server as long as the server does not actually use the unsafe 'legacy' (RFC5246 et pred) renegotiation.

Thus if you can get/use a curl using older OpenSSL it should just work. I'm not sure what the situation is for Mac on this, for example if brew or fink or similar has this available. Worst case, both OpenSSL and curl are opensource so you could build your own older versions -- and that would be ontopic for SO, but a fair bit of work.

Alternatively, as long as curl doesn't work to mess it up (which I wouldn't expect, but don't know for sure), OpenSSL 1.1.0 up can control this with runtime configuration:

  1. Either edit your systemwide config file openssl.cnf in the directory identified by openssl version -d (affects all programs and processes) or create your own file anywhere suitable and point to it with environment variable OPENSSL_CONF. See the man page for config(5) on your system or the web.

  2. In the default section (beginning of the file to the first line wrapped in square brackets) add if not already present an item openssl_conf = sect1 where sect1 is conventionally openssl_init but can be any section-name unique in the file.

  3. Create sect1 if not already present, and add if not already present an item ssl_conf = sect2 where sect2 is conventionally ssl_configuration but as above.

  4. Create sect2 if not already present, and add if not already present an item client = sect3 where sect3 is conventionally client_tls_config but as above.

  5. Create sect3 if not already present, and add if not already present an item for Options = whose value is (or is a comma-separated list including) UnsafeLegacyServerConnect. See the man page for SSL_CONF_cmd(3) on your system or the web.

  • Related