OpenSSL SSL_connect Connection was reset in connection to 127.0.0.1:664 Marked for [closure] Failed HTTPS connection #6466
Replies: 6 comments 22 replies
-
What does it show after the client hello? Does the server send an alert or anything at all? |
Beta Was this translation helpful? Give feedback.
-
Hi @jay Here is the screenshot of Wireshark capture of server reset response. Both screenshots are for failure case itself: Failure case 1: Client and Server on the same system and using IP 127.0.01 for connection. Failure case 2: Client and Server on different systems. Failure Client hello wireshark log (Current server - Curl client):
Success Client Hello (future server - Curl client):
Success Client Hello Wireshark log (WinHTTP client):
|
Beta Was this translation helpful? Give feedback.
-
This is likely not a curl issue. Compare that ClientHello against one of the successful ones. The only thing unusual that I notice is no SNI (server_name) extension is sent. |
Beta Was this translation helpful? Give feedback.
-
Hi @jay One of the main differences I can see is that the success extensions are shorter in length. But I don't know which extension is the key differentiator that will enable a connection using Curl. Is there some table I can refer while using libcurl code to pick and choose which extentions to enable in Client Hello corresponding to curlopt flag, so that I can make a custom Client Hello with just the required set of extensions? Success Extensions (using WinHTTP for connection):
Failure extensions (Using Curl for connection):
|
Beta Was this translation helpful? Give feedback.
-
Hi @jay. Thanks. We have concluded that the cipher "AES128-SHA" only supports TLS 1.2. For TLS 1.3 we have asked the server implementation team to add new ciphers. |
Beta Was this translation helpful? Give feedback.
-
I don't know if this is related, but I see a very similar issue with a very similar problem in the client hello: |
Beta Was this translation helpful? Give feedback.
-
I have 2 Curl Verbose logs. Both logs are with the same libCurl client (7.74). The differences are as follows:
Our Curl based client side code looks similar to: https://github.com/Openwsman/openwsman/blob/master/src/lib/wsman-curl-client-transport.c
And WinHTTP based client side code looks similar to: https://github.com/Openwsman/openwsman/blob/master/src/lib/wsman-win-client-transport.c
Note: I can share specific sections of Wireshark log if required, but I don't know if that will help.
We used to support our client with WinHTTP in the past. With our WinHTTP based client application the server application is working with current production server application as well as the one that will be in production in the future. We switched over to Curl because Curl supports OpenSSL with TLS 1.3 support.
When we run HTTP based query it does not have any problem - client works with old and new server application. But in HTTPS I am facing this issue.
I have captured Verbose log just in case someone knows how to analyze these logs and help us resolve our problem. We want to change our client code so that it too works for the currently deployed server application.
I would appreciate any clue as to how to resolve this issue.
My environment:
OS: Windows 10
Curl Version: 7.74 (libcurl)
Mode: Build from source using VS project 2017
TLS Backend: OpenSSL 1.1.1i
Curl usage: As part of Client application
Successlog (with WinHTTP):
Failure Log (with Curl):
Few things I have tried:
curl_easy_setopt(curl, CURLOPT_SSL_CIPHER_LIST, "TLSv1");
- Same error seencurl_easy_setopt(curl, CURLOPT_SSL_CIPHER_LIST, "AES128-SHA");
- Same error seenBeta Was this translation helpful? Give feedback.
All reactions