添加链接
link之家
链接快照平台
  • 输入网页链接,自动生成快照
  • 标签化管理网页链接
Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Learn more about Collectives

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Learn more about Teams

I have the following error, when attempting to connect to an old HTTPS-enabled web site using Curl:

curl https://10.11.1.44
curl: (35) error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol

More verbosely:

* Expire in 0 ms for 6 (transfer 0x55a4192abdd0)
*   Trying 10.11.1.44...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x55a4192abdd0)
* Connected to 10.11.1.44 (10.11.1.44) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS alert, protocol version (582):
* error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
* Closing connection 0
curl: (35) error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol

If I try to use the --ssl2 or --ssl3 options, I get the following error:

root@kali:~# curl https://10.11.1.44/ --sslv2
curl: (4) OpenSSL was built without SSLv2 support
root@kali:~# curl https://10.11.1.44/ --sslv3
curl: (4) OpenSSL was built without SSLv3 support

I've consulted the following page for how to build Curl with SSL2/3 support, but I'm not sure how to enable it?

https://curl.haxx.se/docs/install.html

Any ideas?

the sane solution here would be to upgrade the server at 10.11.1.44 to support TLS, not to downgrade curl to support SSL, you should do that instead if possible. still, if that's unfeasible, read my answer below (my personal excuse for doing this is that it's not feasible to reverse-engineer the Dell DRAC firmware to change the DRAC web server for an ancient server x.x) – hanshenrik May 31, 2019 at 12:29

Update: curl dropped support for --sslv2 / sslv3 sometime after curl version 7.76.1 was released, so you must make sure to also compile curl version 7.76.1 or older. instructions has been updated to make sure curl 7.76.1 is generated. (thanks to Matias Barros for the update)

you'll need to compile both curl and your ssl backend from source, obviously you'll need a C compiler, and probably more stuff but idk what, hopefully this should cover it:

sudo apt-get install gcc build-essential make cmake autoconf git automake libtool

this can probably be done with several ssl backends, but since i'm most familiar with OpenSSL, i'll proceed with OpenSSL, to build openssl go to the openssl repo at https://github.com/openssl/openssl and find an appropriate openssl version, in this example i chose version 1.1.1k (which is the latest stable openssl release as of writing),

git clone -b 'OpenSSL_1_1_1k' --single-branch --depth 1 https://github.com/openssl/openssl
cd openssl
./config no-shared enable-ssl2 enable-ssl3 enable-ssl3-method
make -j $(nproc)

(the last step may take a while) but openSSL's build script does not create a lib folder, but curl's build script expect the lib files to be in a lib folder inside the openssl folder, so after the make, run

mkdir lib
cp *.a lib;

once that's done, it's time to make curl, so cd .. out of there and clone the last version of curl supporting the --sslv2 / --sslv3 switches 7.76.1,

git clone -b 'curl-7_76_1' --single-branch --depth 1 https://github.com/curl/curl.git
cd curl
./buildconf
LDFLAGS="-static" ./configure --with-ssl=$(realpath ../openssl) --disable-shared  --enable-static
make -j $(nproc)

(if you wonder why i used realpath: there appears to be a bug in curl's buildscript that makes it fail if you supply a relative path, so an absolute path is required, it seems. if you wonder why i made a static build aka --disable-shared --enable-static, you may have a different libopenssl library in your $PATH, so to avoid a conflict with ubuntu's built-in libopenssl, a static build is safer.)

and finally,

/temp2/curl# ./src/curl --sslv3 https://google.com
curl: (35) error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version

(because https://google.com no longer supports sslv3, at all.)

TL;DR

git clone -b 'OpenSSL_1_1_1k' --single-branch --depth 1 https://github.com/openssl/openssl
cd openssl
./config no-shared enable-ssl2 enable-ssl3 enable-ssl3-method
make -j $(nproc)
mkdir lib
cp *.a lib;
cd ..
git clone -b 'curl-7_76_1' --single-branch --depth 1 https://github.com/curl/curl.git
cd curl
./buildconf
LDFLAGS="-static" ./configure --with-ssl=$(realpath ../openssl) --disable-shared  --enable-static
make -j $(nproc)
./src/curl --sslv3 https://google.com
                note that for building on Alpine the required packages were: apk add git autoconf automake libtool make cmake binutils gcc g++ linux-headers
– Donatello
                May 6, 2021 at 21:50
                when building curl the exact command will be:   LDFLAGS="-static" LIBS="-lbrotlidec"   ./configure --with-ssl=$(realpath ../openssl) --disable-shared  --enable-static
– Michal Turlik
                Aug 17, 2022 at 15:26

The error "protocol version (582)" means the server supports max TLSv1.0.

TLSv1.0 is deprecated and disabled in latest distro's (e.g. Ubuntu 19+, Debian Buster+).

Specifying --tlsv1.0 curl argument won't help, as the protocols are disabled in OpenSSL.

Either upgrade the server to which you're connecting (preferred),

... or enable TLSv1.0 in /etc/openssl.cnf:

[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=2

change to

[system_default_sect]
MinProtocol = TLSv1.0
CipherString = DEFAULT@SECLEVEL=1

Note: SECLEVEL=1 enables SHA-1 and allows the RSA key to be less than 2048 bits (will probably be needed to connect to old servers).

(no need to recompile anything)

by default, SSLv3 support is no longer compiled with OpenSSL, and it requires special compile-time flags to enable, and i just checked the openssl bundled with Xubuntu 20.04, it was not compiled with SSLv3 support (lowest was TLS1.0), so if you need sslv3 or v2, you must compile openssl from source, not just configure the one bundled with Ubuntu – hanshenrik Nov 22, 2020 at 22:13

Thanks for contributing an answer to Stack Overflow!

  • Please be sure to answer the question. Provide details and share your research!

But avoid

  • Asking for help, clarification, or responding to other answers.
  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.