Search code examples
phpcurlopenssllibcurlphp-openssl

curl with TLSv1.2 works on client but not on server

On my ubuntu 14.04 LTS-server SSLv2 and SSLv3 are disabled. I'm running different apps on the server. One app needs to use curl to connect another app hosted on the same machine.

The problem is, that the connection works on my ubuntu 14.04 TLS-KDE-client, but not on my server itself.

On both, server and client, the same curl- and openssl-versions are running:

$ curl --version
curl 7.35.0 (x86_64-pc-linux-gnu) libcurl/7.35.0 OpenSSL/1.0.1f zlib/1.2.8 libidn/1.28 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP

$ openssl version
OpenSSL 1.0.1f 6 Jan 2014

On the client I get

$ sudo curl -X HEAD -D - https://server.foobar.net:443/owncloud/remote.php/carddav/addressbooks/foobar/kontakte/
HTTP/1.1 401 Unauthorized
Date: Wed, 09 Sep 2015 04:46:55 GMT
Server: Apache
Set-Cookie: oc6c79ce288a=hcv4snboaf31v9a4nnse5g8ts3; path=/owncloud; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: Sameorigin
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src *; font-src 'self' data:; media-src *; connect-src *
X-Robots-Tag: none
WWW-Authenticate: Basic realm="ownCloud"
Content-Type: application/xml; charset=utf-8

On the server I get

$ sudo curl -X HEAD -D - https://server.foobar.net:443/owncloud/remote.php/carddav/addressbooks/foobar/kontakte/
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

Please point me to the right direction.

Solution

  • I checked the server by https://www.ssllabs.com/ssltest/ and ist says that the certificate is valid and that the server supports TLS 1.2, 1.1 and also 1.0.

    You could also try to add --no-check-certificate within your curl-request.

    I also tried the -k option with curl (I think --no-check-certificate cannot be used with curl but with wget) with the same result. In the apache log I can see nothing; I think because the connection tries to come in by SSL.

    With openssl s_client -debug server.foobar.net:443/owncloud/remote.php/carddav/addressbooks/foobar/kontakte/ I get this: 

    140093535233696:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:795:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 295 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

    EDIT: Now I got it! In the /etc/hosts of my server there was a wrong configuration.