Running curl with OpenSSL 0.9.8 against OpenSSL 1.0.0 server causes handshake error?

Question

If I run curl against a machine that is running OpenSSL 1.0.0e for example:

curl -v https://shumaker.flexrentalsolutions.com

on a machine t

Answer 1

Now due to the POODLE vulnerability many sites are now disabling SSL 3.0

You should use TLS like this :

curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1)

If you still have error (for Apache) check if your vhost get the correct setting ServerName

Answer 2

If you set the openssl version in the protocol, it works:

For the command line:

curl -v -3 https://shumaker.flexrentalsolutions.com

If in php:

curl_setopt($ch, CURLOPT_SSLVERSION,3);

Answer 3

This isn't a good solution, but it's better than wheel spinning, so I'm going to add it here as an answer:

Use the GnuTLS module instead of mod_ssl, if you can. It's not bound to OpenSSL, so this horrible, day-wasting problem is neatly sidestepped.

Answer 4

This is an (OpenSSL) bug that's still open. Details have been posted in this curl bug report.

Further details was posted to OpenSSL-dev by "mancha".

Answer 5

I have this issue on OS X using brew on some https servers, brew uses curl internally. Note this is only on OS X 10.7.5, which is stuck on OpenSSL/0.9.8r. I would upgrade but apple don't support > 10.7 on this iMac!

My fix was to upgrade curl with brew, which ups the version to 1.0.2f, luckily the brew install of curl doesn't

brew install curl