16 
$ curl -I https://9.185.173.135
curl: (35) Unknown SSL protocol error in connection to 9.185.173.135:443

This is an secured page that I need to access. But I don't know how to obtain its certificate file. I tried to use Firefox, but it says couldn't get any ssl certificate once the url is entered.

$ curl -I http://9.185.173.135
HTTP/1.1 200 OK
Content-Length: 686
Content-Type: text/html
Content-Location: http://9.185.173.135/Default.htm
Last-Modified: Mon, 16 Mar 2009 05:05:38 GMT
Accept-Ranges: bytes
ETag: "a851dbd8f4a5c91:d41"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 13 Jul 2010 04:09:35 GMT

The server is definitely reachable from my laptop. Once I get the certificate file, I assume I can then import it to Firefox and then use my credentials to pass the authentication (I already got the username/password).

Sorry I am no expert in security at all. Is there anything else I can try?

Many thanks in advance.

Improve this question
4
  • 5
    Can you establish a connection to the server with openssl s_client -host 9.185.173.135 -p 443? Commented Jul 13, 2010 at 12:12
  • @ Rudi: Thanks for the hint, please see my answer for the update :) Commented Jul 13, 2010 at 22:44
  • 1
    my open_ssl wants me to do -connect <ip>:<port> instead of -host <ip> -p <port> - probably changed in newer version. Commented Sep 20, 2012 at 11:25
  • The server might be using SSL2 or SSL3... Those protocal are deprecated now. Commented Jun 5, 2020 at 15:34

8 Answers 8

Reset to default
4

try this

curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_SSLv3); // Force SSLv3 to fix Unknown SSL Protocol error
Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

But this will not work on SPDY. There you have to use spdycat. I am not the author but it's an open-source project.
FYI: we had this and it didn't work. From another answer we found: curl_setopt($ch, CURLOPT_SSLVERSION, 4); which worked. (Version 4, not 3).
There are security risks with this approach. See the PHP docs. php.net/manual/en/function.curl-setopt.php
Please do not use arbitrary numbers for something that is supposed to receive a descriptive enum. @WilliamJossCrowcroft for example, incorrectly refers to 4 as "version 4" (likely this is CURL_SSLVERSION_TLSv1_0). The correct value is CURL_SSLVERSION_SSLv3.
Question has nothing to do with PHP.
2

To Rudi : Thanks for the hint, that tells me a hell lot of info.

Somehow the admin of the secured page "refreshes" the state of certifications every day. So although I got blocked from accessing it yesterday, it generously lets me to grab another certificate and add it to the exception list of Firefox.

So everything is working, and I really learn something from yesterday's experience.

Improve this answer

Comments

2

You can use --tlsv1 option to solve the issue in case the curl version is below 7.34 

 curl -I --tlsv1 https://9.185.173.135
Improve this answer

1 Comment

Use newer curl version and it works.
1

In my case on a AIX VM also this problem, use --cacert to specific a cacert.pem

curl --cacert /var/ssl/cacert.pem https://localhost:3000

Improve this answer

1 Comment

Works also on a classic environment (Windows 10 / Apache). You saved me hours of research!
0

I got the same error when running curl/httpie against a Tomcat server on my localhost deployed from Eclipse. It turns out that default server.xml deployed by Eclipse disables https. Specifically, the section below is commented out in server.xml.

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS" />

After uncommenting it out and adding the two keystore parameters, the curl command starts working (with --insecure option if the certificate is self-signed).

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS" />
           keystoreFile="/path/to/your/keystore"
           keystorePass="yourpass" />
Improve this answer

Comments

0

i have some solutions that fix the issue for me:

1] try update your curl/php/apache [ yum update ]

2] restart apache

Those worked for me!

Improve this answer

Comments

0

I had the same error after updating my SSL certificate on the target SSL site. My source OS was Centos 6 and updating to a new curl version solved it. *Note I was already using the curl -k (insecure option) but I would still get that error. Essentially this error is caused by nss or openssl being out of date. yum -y install curl nss openssl Remember if you have a web application like PHP calling curl you will need to restart Apache to make the update take effect.

I've updated based on this guide: http://realtechtalk.com/curl_35_Unknown_SSL_protocol_error_in_connection_Solution_Centos-1988-articles

Improve this answer

Comments

0

I had a similar issue:

 curl https://localhost:3000
 ...
 curl: (35) Unknown SSL protocol error in connection to localhost:-9847

(not sure where that number -9847came from since I requested port 3000)

fix: turns out my server on port 3000 was running "http" not "https" go figure.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.