close
close
curl: (35) error:1408f10b:ssl routines:ssl3_get_record:wrong version number

curl: (35) error:1408f10b:ssl routines:ssl3_get_record:wrong version number

3 min read 30-12-2024
curl: (35) error:1408f10b:ssl routines:ssl3_get_record:wrong version number

The dreaded "curl: (35) error: 1408f10b: SSL routines: SSL3_GET_RECORD: wrong version number" message often leaves developers scratching their heads. This comprehensive guide will help you understand the root causes and provide effective solutions for this frustrating SSL/TLS handshake error.

Understanding the Error

The error message "curl: (35) error: 1408f10b: SSL routines: SSL3_GET_RECORD: wrong version number" indicates a mismatch between the SSL/TLS protocols supported by your system (typically through curl) and the server you're trying to connect to. Essentially, your client and the server can't agree on a secure communication method. This usually points to incompatibility between the cipher suites offered by the server and those allowed by your curl configuration or operating system.

Common Causes

Several factors can contribute to this error:

  • Outdated OpenSSL: The OpenSSL library is crucial for handling SSL/TLS connections. An outdated version might lack support for the protocols used by the server.
  • Server-Side Issues: The server itself might have misconfigurations, such as outdated or unsupported SSL/TLS protocols or cipher suites. This is often outside your direct control.
  • Firewall or Proxy Interference: Network security measures, like firewalls or proxies, might be intercepting or modifying the SSL/TLS handshake.
  • Incorrect Certificate: A problem with the server's SSL certificate can sometimes cause this error, though it's less frequent than the other causes.
  • System Time Issues: An incorrect system time can interfere with certificate validation, indirectly causing this error.

Troubleshooting Steps

Let's tackle how to resolve this error systematically:

1. Check Your OpenSSL Version

First, determine your OpenSSL version:

openssl version

If the version is significantly outdated, update it. The method for updating OpenSSL varies depending on your operating system:

  • Linux (Debian/Ubuntu): sudo apt update && sudo apt upgrade libssl-dev
  • Linux (Red Hat/CentOS/Fedora): sudo yum update openssl
  • macOS (using Homebrew): brew update && brew upgrade openssl
  • Windows: You might need to reinstall your entire OpenSSL package or consider using a more recent version.

2. Verify Server-Side Configuration (If Possible)

If you control the server, check its SSL/TLS configuration. Ensure it supports modern protocols like TLS 1.2 or TLS 1.3. Older protocols (like SSLv3) are highly insecure and should be disabled. You might need to adjust your server's configuration files (e.g., nginx.conf, httpd.conf).

If you don't control the server, contact the server administrator to report the issue and see if they can provide assistance.

3. Check Your System's Time

An incorrect system clock can lead to certificate validation problems. Ensure your system's time is synchronized with an accurate time server:

timedatectl set-ntp true  # For systemd-based systems

Other operating systems will have similar commands for synchronizing time (e.g., using ntpdate on older systems).

4. Bypass Proxies and Firewalls (Temporarily)

Temporarily disable any proxies or firewalls to rule them out as potential culprits. This is often done for testing purposes; don't leave proxies or firewalls disabled in production.

5. Use curl's SSL Options

curl offers several options to control SSL/TLS behavior:

  • --tlsv1.2 or --tlsv1.3: Force curl to use a specific TLS version. Try these if you suspect a protocol mismatch:
curl --tlsv1.2 https://www.example.com
curl --tlsv1.3 https://www.example.com
  • --cacert <path/to/ca-certificate>: Specify a CA certificate bundle if you're encountering certificate verification issues.

  • --ssl3: (Generally avoid) – Attempting to use SSLv3 is highly discouraged due to its known security vulnerabilities.

6. Inspect the Server's Certificate

Use openssl s_client to examine the server's certificate details and cipher suite offerings:

openssl s_client -connect example.com:443

Look for potential issues with the certificate itself or unsupported cipher suites.

7. Consider using a different tool.

If none of the above works, try using a different tool like wget or a web browser to see if the problem is specific to curl or a more widespread issue with connectivity to the server.

Conclusion

The "curl: (35) error: 1408f10b" error can be frustrating, but by systematically checking the above points, you can significantly increase your chances of resolving the issue. Remember to prioritize security and always keep your OpenSSL library updated. If the problem persists after trying these steps, further investigation into your network configuration or contacting the server administrator might be necessary.

Related Posts


Latest Posts