Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] curl with TLSv1, 1.1 and 1.2 support
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
GhostTyper
Tux's lil' helper
Tux's lil' helper


Joined: 03 Apr 2004
Posts: 79
Location: Germany; BW

PostPosted: Mon Sep 17, 2018 12:00 pm    Post subject: [SOLVED] curl with TLSv1, 1.1 and 1.2 support Reply with quote

Hello,

i want curl to use TLSv1 and above. Currently it only supports SSLv2 and SSLv3, which is pretty outdated.

Sadly, I don't know which use-flags I need to use. My current configuration looks like this:
Code:
ws1 ~ # emerge -ptv openssl curl

These are the packages that would be merged, in reverse order:

Calculating dependencies... done!
[ebuild   R    ] net-misc/curl-7.61.0::gentoo  USE="idn ssl -adns -brotli -http2 -ipv6 -kerberos -ldap -metalink -rtmp -samba -ssh -static-libs {-test} -threads" ABI_X86="(64) -32 (-x32)" CURL_SSL="openssl -axtls -gnutls -libressl -mbedtls -nss (-winssl)" 0 KiB
[ebuild   R    ]  dev-libs/openssl-1.0.2o-r3::gentoo  USE="asm bindist sslv3 tls-heartbeat zlib -gmp -kerberos -rfc3779 -sctp -sslv2 -static-libs {-test} -vanilla" ABI_X86="(64) -32 (-x32)" CPU_FLAGS_X86="(sse2)" 0 KiB

Total: 2 packages (2 reinstalls), Size of downloads: 0 KiB

 * IMPORTANT: 17 news items need reading for repository 'gentoo'.
 * Use eselect news read to view new items.
The error I observe is:
Code:
ws1 ~ # curl https://api.twitch.tv/kraken/base
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol


Last edited by GhostTyper on Tue Sep 18, 2018 4:47 pm; edited 1 time in total
Back to top
View user's profile Send private message
Christian99
Veteran
Veteran


Joined: 28 May 2009
Posts: 1176

PostPosted: Mon Sep 17, 2018 12:38 pm    Post subject: Reply with quote

I think that's the bindist useflag of openssl. I have it disabled and i'm able to curl the address you specified.

curl telss me, that it is using "* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384"
checking
Code:
equery u openssl
[ Legend : U - final flag setting for installation]
[        : I - package is installed with flag     ]
[ Colors : set, unset                             ]
 * Found these USE flags for dev-libs/openssl-1.0.2p:
 U I
 + + abi_x86_32    : 32-bit (x86) libraries
 + + asm           : Support assembly hand optimized crypto functions (i.e. faster run time)
 - - bindist       : Disable/Restrict EC algorithms (as they seem to be patented) -- note: changes the ABI
 + + gmp           : Add support for dev-libs/gmp (GNU MP library)
 + + kerberos      : Add kerberos support
 - - rfc3779       : Enable support for RFC 3779 (X.509 Extensions for IP Addresses and AS Identifiers)
 - - sctp          : Support for Stream Control Transmission Protocol
 - - sslv2         : Support for the old/insecure SSLv2 protocol -- note: not required for TLS/https
 + + sslv3         : Support for the old/insecure SSLv3 protocol -- note: not required for TLS/https
 - - static-libs   : Build static versions of dynamic libraries as well
 - - test          : Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently)
 + + tls-heartbeat : Enable the Heartbeat Extension in TLS and DTLS
 - - vanilla       : Do not add extra patches which change default behaviour; DO NOT USE THIS ON A GLOBAL SCALE as the severity of the meaning changes drastically
 + + zlib          : Add support for zlib (de)compression


it seems, that this cipher is disabled by the bindist useflag.

Also note: the sslv2/3 flags for openssl enable those protocols additionaly, tls1.* is enabled (and can't be disabled, afaik) by default for openssl.
Back to top
View user's profile Send private message
GhostTyper
Tux's lil' helper
Tux's lil' helper


Joined: 03 Apr 2004
Posts: 79
Location: Germany; BW

PostPosted: Mon Sep 17, 2018 12:58 pm    Post subject: Reply with quote

Changing the use flags (-bindist) didn't change curls behaviour. I also added bindist for testing only:
Code:
ws1 ~ # emerge -ptv openssl curl

These are the packages that would be merged, in reverse order:

Calculating dependencies... done!
[ebuild   R    ] net-misc/curl-7.61.0::gentoo  USE="idn ssl -adns -brotli -http2 -ipv6 -kerberos -ldap -metalink -rtmp -samba -ssh -static-libs {-test} -threads" ABI_X86="(64) -32 (-x32)" CURL_SSL="openssl -axtls -gnutls -libressl -mbedtls -nss (-winssl)" 0 KiB
[ebuild   R    ]  dev-libs/openssl-1.0.2o-r3::gentoo  USE="asm sslv3 tls-heartbeat zlib -bindist -gmp -kerberos -rfc3779 -sctp -sslv2 -static-libs {-test} -vanilla" ABI_X86="(64) -32 (-x32)" CPU_FLAGS_X86="(sse2)" 0 KiB

Total: 2 packages (2 reinstalls), Size of downloads: 0 KiB

 * IMPORTANT: 17 news items need reading for repository 'gentoo'.
 * Use eselect news read to view new items.

ws1 ~ # curl https://api.twitch.tv/kraken/base
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
ws1 ~ # curl --tlsv1.2 https://api.twitch.tv/kraken/base
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
ws1 ~ # curl -v https://api.twitch.tv/kraken/base
*   Trying 104.86.61.204...
* TCP_NODELAY set
* Connected to api.twitch.tv (104.86.61.204) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
* Closing connection 0
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
It really seems to be a problem with openssl:
Code:
ws1 ~ # openssl s_client -connect api.twitch.tv:https
CONNECTED(00000003)
140436400553536:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:827:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1537189359
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
Back to top
View user's profile Send private message
Christian99
Veteran
Veteran


Joined: 28 May 2009
Posts: 1176

PostPosted: Mon Sep 17, 2018 1:53 pm    Post subject: Reply with quote

what did you do to you r openssl? :o

Also, can you try other addresses with oepnssl s_client?

eg gentoo.org, startpage.com....
Back to top
View user's profile Send private message
GhostTyper
Tux's lil' helper
Tux's lil' helper


Joined: 03 Apr 2004
Posts: 79
Location: Germany; BW

PostPosted: Mon Sep 17, 2018 5:07 pm    Post subject: Reply with quote

I DON'T KNOW. 8O

gentoo.org supports TLSv1.0, 1.1 and 1.2:
Code:
openssl s_client -connect gentoo.org:https
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = default.gentoo.org
verify return:1
---
Certificate chain
 0 s:/CN=default.gentoo.org
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
[The certificate...]
-----END CERTIFICATE-----
subject=/CN=default.gentoo.org
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5030 bytes and written 434 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: BE9D919076F5B63C1852B58CF282F3FEBCE3FD5BDEB289B94015BAAD3A1C71E3
    Session-ID-ctx:
    Master-Key: EDDB0251D6329273E175CA7ABC0449AD92CB2BF0BFAAFC71406EDFE06F9600227B9DD2CF3E57FE0D3E6512EE3A56173C
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1537200659
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
Code:
ws1 / # openssl s_client -connect startpage.com:https
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = EssentialSSL Wildcard, CN = *.startpage.com
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.startpage.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
[The certificate...]
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.startpage.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5014 bytes and written 434 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: FB939A3B3368D67059304986D07579178CAF06C4A643287AC8A031A641ADD1AD
    Session-ID-ctx:
    Master-Key: 8A9969DEEEE6326A0FCDF2191FFEC090C18BFA96F5215EB1B66BF7B0B5903B8C700996FF9D20053B7DC9F0089D1FF1FF
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 600 (seconds)
    TLS session ticket:
    [Some Data...]

    Start Time: 1537200778
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
This is quite strange. So, it's not a protocol problem, it must be something else. What could it be? Some misconfiguration of mine? But I don't remember any changes to the openssl configuration. Even twitch.tv is workin':
Code:
ws1 / # openssl s_client -connect twitch.tv:https
CONNECTED(00000003)
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign CloudSSL CA - SHA256 - G3
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "Fastly, Inc.", CN = twitch.map.fastly.net
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=San Francisco/O=Fastly, Inc./CN=twitch.map.fastly.net
   i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign CloudSSL CA - SHA256 - G3
 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign CloudSSL CA - SHA256 - G3
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
[Certificate...]
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=San Francisco/O=Fastly, Inc./CN=twitch.map.fastly.net
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign CloudSSL CA - SHA256 - G3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3623 bytes and written 434 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 21C61EADAFCBEA0F0999C8ED305709B02B8E7C007931CFD3BF317E6D751D0820
    Session-ID-ctx:
    Master-Key: 37EF39BC9BAFF879F89A8231D858EA4B5898A9AAEDEB03D558688924E99821DDBA6D426404E0A1AC541B5B7EB33175B4
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    [Some Data...]

    Start Time: 1537201217
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
But api.twitch.tv does not work:
Code:
ws1 / # openssl s_client -connect api.twitch.tv:https
CONNECTED(00000003)
139732243668544:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:827:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1537201329
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
Back to top
View user's profile Send private message
GhostTyper
Tux's lil' helper
Tux's lil' helper


Joined: 03 Apr 2004
Posts: 79
Location: Germany; BW

PostPosted: Mon Sep 17, 2018 5:15 pm    Post subject: Reply with quote

I fear, something happens on the transport way. I tried 3 different ip ranges to just be sure that the service isn't banned from the twitch API.
Back to top
View user's profile Send private message
Christian99
Veteran
Veteran


Joined: 28 May 2009
Posts: 1176

PostPosted: Mon Sep 17, 2018 9:00 pm    Post subject: Reply with quote

can you please post output from
Code:
openssl ciphers|tr : \\n
?
Back to top
View user's profile Send private message
GhostTyper
Tux's lil' helper
Tux's lil' helper


Joined: 03 Apr 2004
Posts: 79
Location: Germany; BW

PostPosted: Tue Sep 18, 2018 2:21 am    Post subject: Reply with quote

I could, but it's not necessary. I re-asked this question with my latest findings: https://forums.gentoo.org/viewtopic-p-8261988.html

Thank you for your help, but it isn't a problem on this gentoo installation.
Back to top
View user's profile Send private message
Christian99
Veteran
Veteran


Joined: 28 May 2009
Posts: 1176

PostPosted: Tue Sep 18, 2018 8:31 am    Post subject: Reply with quote

I don't think that this is related to firewall or network in general at all. You are able to establish a connection, it's just not a valid tls connection.
For the firewall, to interfere with this, something like deep packet inspection would be needed, what you are probably not doing.

But let's see...
Back to top
View user's profile Send private message
GhostTyper
Tux's lil' helper
Tux's lil' helper


Joined: 03 Apr 2004
Posts: 79
Location: Germany; BW

PostPosted: Tue Sep 18, 2018 4:04 pm    Post subject: Reply with quote

What does sherlock say? "when you have eliminated the impossible, whatever remains, however improbable, must be the truth"

I know that this shouldn't happen. Facts are:
  • It works without the firewall.
  • It works after a firewall restart.
And there could be many options up to a bug in the kernel.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum