curl 7.58 under proxy issue ssl wrong version

Question

I just installed an Arch based distribution Antergos. Then I installed few packages with pacman. Now after a restart I am getting ssl errors while trying to clone git.

fatal: unable to access 'https://[email protected]/xxx/yyyy.git/': error:1408F10B:SSL routines:ssl3_get_record:wrong version number

also curl to any https doesn't work.

curl https://google.com
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

curl looks latest.

$ curl --version
curl 7.58.0 (x86_64-pc-linux-gnu) libcurl/7.58.0 OpenSSL/1.1.0g zlib/1.2.11 libidn2/2.0.4 libpsl/0.19.1 (+libidn2/2.0.4) nghttp2/1.30.0
Release-Date: 2018-01-24
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL

$ pacman -Q | egrep 'ssl|curl'
    curl 7.58.0-1
    openssl 1.1.0.g-1
    openssl-1.0 1.0.2.n-1
    python-pycurl 7.43.0.1-1

$ ldd `which curl`
    linux-vdso.so.1 (0x00007ffdccee9000)
    libcurl.so.4 => /usr/lib/libcurl.so.4 (0x00007fe06a5a5000)
    libpthread.so.0 => /usr/lib/libpthread.so.0 (0x00007fe06a387000)
    libc.so.6 => /usr/lib/libc.so.6 (0x00007fe069fd0000)
    libnghttp2.so.14 => /usr/lib/libnghttp2.so.14 (0x00007fe069dab000)
    libidn2.so.0 => /usr/lib/libidn2.so.0 (0x00007fe069b8e000)
    libpsl.so.5 => /usr/lib/libpsl.so.5 (0x00007fe069980000)
    libssl.so.1.1 => /usr/lib/libssl.so.1.1 (0x00007fe069716000)
    libcrypto.so.1.1 => /usr/lib/libcrypto.so.1.1 (0x00007fe069299000)
    libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x00007fe06904b000)
    libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00007fe068d63000)
    libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00007fe068b30000)
    libcom_err.so.2 => /usr/lib/libcom_err.so.2 (0x00007fe06892c000)
    libz.so.1 => /usr/lib/libz.so.1 (0x00007fe068715000)
    /lib64/ld-linux-x86-64.so.2 => /usr/lib64/ld-linux-x86-64.so.2 (0x00007fe06aa4a000)
    libunistring.so.2 => /usr/lib/libunistring.so.2 (0x00007fe068393000)
    libdl.so.2 => /usr/lib/libdl.so.2 (0x00007fe06818f000)
    libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x00007fe067f82000)
    libkeyutils.so.1 => /usr/lib/libkeyutils.so.1 (0x00007fe067d7e000)
    libresolv.so.2 => /usr/lib/libresolv.so.2 (0x00007fe067b67000)

I am behind proxy

$ proxytunnel -p PROXY_IP:PROXY_PORT -d www.google.com:443 -a 7000
$ openssl s_client -connect localhost:7000
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = www.google.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEdjCCA16gAwIBAgIINC+Y7yLd9OswDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTgwMjA3MjExMzI5WhcNMTgwNTAyMjExMTAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7lAOc
gsUECzoiJfpnAtq9qxAeTWBS8KYCd3ESvd7255YXW8FUiGTj9MYSSJ3OlYQvvU1I
NmnIXNU7BnhUBbY1kW4+GXc5RimwiIW5VsWftt1XOVZh5mR08DhYQjdQqI3IhK6r
FTS6/6BvFcjWMT/rVQv59XDaQLqWXSomEzOr1vDRXZSbAPr+YAGKUj+K0TjgZNW1
8xo8Lyp8kDjFxrWaThfwFMosbFw5HnnzpT1WSHfmXmF1mvvk4cJ+U2m3+K2pRki8
nNnWafLPdT408XoXrbWLVeEVSIQQH5z93uoj5lESal05pnOY5yYUJ+vmHdY7jOBh
sT9HaGzl3kD2J+1BAgMBAAGjggFBMIIBPTATBgNVHSUEDDAKBggrBgEFBQcDATAZ
BgNVHREEEjAQgg53d3cuZ29vZ2xlLmNvbTBoBggrBgEFBQcBAQRcMFowKwYIKwYB
BQUHMAKGH2h0dHA6Ly9wa2kuZ29vZ2xlLmNvbS9HSUFHMi5jcnQwKwYIKwYBBQUH
MAGGH2h0dHA6Ly9jbGllbnRzMS5nb29nbGUuY29tL29jc3AwHQYDVR0OBBYEFNGB
jzGWH9WkzeHj88QOo3gBTBs+MAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUSt0G
Fhu89mi1dvWBtrtiGrpagS8wIQYDVR0gBBowGDAMBgorBgEEAdZ5AgUBMAgGBmeB
DAECAjAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB
RzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQBxOxsCFg7RIa0zVDI0N9rTNaPopqX9
yrIlK1u+C2ohrg5iF5XlTEzTuH43D/J0Lz550D9Cft4s6lWaNKpVDhNivEy2nzK5
ekuQKYtoQlIyfUnD5GnGZyr3m2AcMFnAAhlXVbyiJk0VNLDGCMVBaOuL/yT8X5dQ
j8MrKSvZRaUt2oixE7fKGNv5nhs0wuHu1TEU/8R5UMxbJs8knMZsRcfsvzjXpEHC
guA54xPnLFiU0QTw4GIFi5nDvfR5cF2UAJZNIF4o4sr4DB8+X7DWtBmMNHuR4Cpn
HEdlVzOA7BAGx8yO6AddwJo8AlxviCaPol1xPB8uJCGh/U0/7XhtR93S
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3790 bytes and written 261 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-CHACHA20-POLY1305
    Session-ID: BEE4D8162570B4AB0C8121DEC5756B6DC063DB3E7321BB58FD12D566482AD99A
    Session-ID-ctx: 
    Master-Key: B050C78AAC1A0DF5063263DDCD3437CD3A4029E7D5431E236936D2D88AAAD2555A18D92318C9E2E31A550E339D4C26A8
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - 00 41 04 37 20 26 a1 bc-2b d0 86 8c 6b a5 74 ef   .A.7 &..+...k.t.
    0010 - 5c 82 0e d3 ec f7 97 0f-a9 9c cb e8 69 a8 0d 67   \...........i..g
    0020 - 13 10 87 ec 22 da 60 d3-9b 98 f2 a4 ce 93 95 1c   ....".`.........
    0030 - 8f fa 71 57 b9 d9 9b 9f-14 9e 37 95 e5 70 e8 70   ..qW......7..p.p
    0040 - 4b f5 ff c4 79 b6 f8 9c-32 f2 2a 13 81 1c 5b 9c   K...y...2.*...[.
    0050 - f3 52 26 df e6 8c db bd-23 c9 24 3e 46 8c 99 9a   .R&.....#.$>F...
    0060 - 13 53 69 5e 5d 2c c1 0f-e4 6d de df a9 33 af d9   .Si^],...m...3..
    0070 - 1f 89 e7 c1 d9 8a d1 05-1a 88 c2 27 e2 0a 56 0f   ...........'..V.
    0080 - 40 ec 5c ed a3 ca f4 1e-f8 83 85 3b 7e 22 7d f5   @.\........;~"}.
    0090 - b4 b7 96 a5 ca 27 4b 40-61 88 9d 58 d3 d6 e9 e7   .....'[email protected]....
    00a0 - 1f 72 7c bf 25 24 f6 ab-83 a1 90 ae 97 92 d8 40   .r|.%$.........@
    00b0 - 14 3b 5d 07 cd 5a 79 bc-eb 6b ae 66 f1 42 0c 11   .;]..Zy..k.f.B..
    00c0 - a5 7e 68 f9 c1 51 6f 3d-7e f9 28 79 2a 32 d5 ea   .~h..Qo=~.(y*2..
    00d0 - 90 4f ee 2c 84 ac 66 0b-8d dc                     .O.,..f...

    Start Time: 1519286347
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
read:errno=0

What is the solution ?

Update

Confirming this is necessarily a curl issue. I turn off proxy and connect directly curl https works. I set any other proxy server ip and port from https://free-proxy-list.net/ and then try to connect curl through proxy. I get the same error. So either this curl version has a bug or so many proxy servers are wrongly configured.

Update

I think the issue is related to Deepin DE. I switched from Deeping Desktop Environment to Standard Gnome and curl started working fine. Possibly this is a bug related to Deepin's Network Settings. Although it sets the environment variables correctly.

Answer 1

You might be misusing https-over-http proxy as https-over-https proxy.

Just change your proxy url from https://something to http://something.