1

I'm trying open a website with cURL like this:

$ curl -vH "Accept: application/json" https://www.rocketleaguereplays.com/api/replays/-1/

The output is:

*   Trying 104.24.114.83...
* Connected to www.rocketleaguereplays.com (104.24.114.83) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Unknown (21):
* TLSv1.2 (IN), TLS alert, Server hello (2):
* error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

I have Linux kernel 4.4.0 and the newest cURL version installed:

$ curl -V
curl 7.47.1 (x86_64-pc-linux-gnu) libcurl/7.47.1 OpenSSL/1.0.2f zlib/1.2.8 c-ares/1.10.0 nghttp2/1.6.0
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile NTLM SSL libz TLS-SRP HTTP2 UnixSockets

How can I fix this? On Ubuntu it works fine with cURL and same URL.

Improve this question
1
  • Now I fixed it. OpenSSL was compiled with the "bindist" USE-Flag. It works without this. Commented Feb 17, 2016 at 7:33

1 Answer 1

Reset to default
2

Basically, https://www.rocketleaguereplays.com uses outdated encryption (SSL3), you can force curl to connect to insecure sites like this using the -k (--insecure) switch.

Try this: curl -kvH "Accept: application/json" https://www.rocketleaguereplays.com/api/replays/-1/

You could also try using the -3 aka --sslv3 switch, however, if curl was built without SSL3 support, then you need to compile your own version of curl, enabling SSL3.

EDIT: The op has found the problem.

I got confused by the error message.

This is a bug in gentoo:

https://bugs.gentoo.org/show_bug.cgi?id=531540

Basically, when you build openssl with the bindist flag, the elyptic curve crypto is disabled. This site requires elyptic curve cryptography.

When I run this, I get the following:

$ curl -vH "Accept: application/json" https://www.rocketleaguereplays.com/api/replays/-1/ * STATE: INIT => CONNECT handle 0x6000572d0; line 1090 (connection #-5000) * Added connection 0. The cache now contains 1 members * Trying 2400:cb00:2048:1::6818:7353... * STATE: CONNECT => WAITCONNECT handle 0x6000572d0; line 1143 (connection #0) * Connected to www.rocketleaguereplays.com (2400:cb00:2048:1::6818:7353) port 443 (#0) * STATE: WAITCONNECT => SENDPROTOCONNECT handle 0x6000572d0; line 1240 (connection #0) * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0x6000572d0; line 1254 (connection #0) * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Client hello (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Client hello (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256 <---- [...]

So my curl uses elyptic curve with this site.

Improve this answer
3
  • Thank you, but there is the same error :( Commented Feb 17, 2016 at 7:30
  • @Hanashi then why would you accept this answer Commented Jun 4, 2020 at 6:10
  • I think he accepted the answer after the Edit. Commented Jun 12, 2020 at 13:22

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.