How to fix curl sslv3 alert handshake failure?

Question

I'm trying to curl HTTPS website in the following way:

$ curl -v https://thepiratebay.se/

However it fails with the error:

* About to connect() to thepiratebay.se port 443 (#0)
*   Trying 173.245.61.146...
* connected
* Connected to thepiratebay.se (173.245.61.146) port 443 (#0)
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS alert, Server hello (2):
* error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
* Closing connection #0
curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Using -k/--insecure or adding insecure to my ~/.curlrc doesn't make any difference.

How do I ignore or force the certificate using curl command line?

When using wget seems to work fine. Also works when testing with openssl as below:

$ openssl s_client -connect thepiratebay.se:443
CONNECTED(00000003)
SSL handshake has read 2651 bytes and written 456 bytes
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA

I've:

$ curl --version
curl 7.28.1 (x86_64-apple-darwin10.8.0) libcurl/7.28.1 OpenSSL/0.9.8| zlib/1.2.5 libidn/1.17
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smtp smtps telnet tftp 
Features: IDN IPv6 Largefile NTLM NTLM_WB SSL libz

score 28 · Accepted Answer · edited May 23 '17 at 12:39

28

Some sites disable support for SSL 3.0 (possible because of many exploits/vulnerabilities), so it's possible to force specific SSL version by either -2/--sslv2 or -3/--sslv3. Also -L is worth a try if requested page has moved to a different location.

In my case it was a curl bug (found in OpenSSL), so curl needed to be upgraded to the latest version (>7.40) and it worked fine.

See also:

edited May 23 '17 at 12:39

Community

1

answered Mar 27 '15 at 18:22

kenorb

20,250
14
140
164

Yes, upgrading curl fixed the problem for me. Thanks. – Simon East Feb 01 '16 at 00:38
The latest curl dislikes outdated RC4 cipher that old servers might still use, so I ended up using "--ciphers RC4" to specifically permit it – maxpolk Feb 11 '16 at 21:45
@SimonEast From which version to which version did you ugprade? – Olle Härstedt Mar 05 '18 at 15:37
Using curl 7.81.0 on Ubuntu 22.04.1 LTS, trying to get a file from https://downloads.leginfo.legislature.ca.gov/ and it does _not_ work. :--( – Ray Kiddy Jan 25 '23 at 19:36

score 6 · Answer 2 · edited Sep 08 '16 at 12:03

6

Starting with Mavericks, Apple switched the TLS/SSL engine from OpenSSL to their own Secure Transport engine in Apple distributed cURL binary which breaks client certificate usage. Use the cURL binary from homebrew:

brew install curl
brew link curl --force

edited Sep 08 '16 at 12:03

Pablo

3
2

answered Mar 27 '15 at 18:47

Arul

885
7
8

2

`brew link curl --force` no longer works, you must put `export "$(brew --prefix curl)/bin:$PATH"` in your .bash_profile instead. – Lars Nyström Mar 07 '19 at 13:28

Shimon Doodkin · Answer 3 · 2018-04-28T19:06:17.543

0

I had this error when I was sending a wrong host header.

I was developing a proxy from http://127.0.0.1:12345 to https://site.com:443. so I was sending request headers as-is as came from the browser and there was host:127.0.0.1:12345 header. I deleted the host header that came from browser to solve the problem.

edited Apr 28 '18 at 19:06

answered Apr 28 '18 at 19:00

Shimon Doodkin

157
1
5

How to fix curl sslv3 alert handshake failure?

3 Answers3