How to compile Curl with legacy SSL support on Ubuntu?

Question

I have the following error, when attempting to connect to an old HTTPS-enabled web site using Curl:

curl https://10.11.1.44
curl: (35) error:1425F102:SSL rou         


        

Answer 1

The error "protocol version (582)" means the server supports max TLSv1.0.

TLSv1.0 is deprecated and disabled in latest distro's (e.g. Ubuntu 19+, Debian Buster+).

Specifying --tlsv1.0 curl argument won't help, as the protocols are disabled in OpenSSL.

Either upgrade the server to which you're connecting (preferred),

... or enable TLSv1.0 in /etc/openssl.cnf:

[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=2

change to

[system_default_sect]
MinProtocol = TLSv1.0
CipherString = DEFAULT@SECLEVEL=1

Note: SECLEVEL=1 enables SHA-1 and allows the RSA key to be less than 2048 bits (will probably be needed to connect to old servers).

(no need to recompile anything)

Answer 2

you'll need to compile both curl and your ssl backend from source, obviously you'll need a C compiler, and probably more stuff but idk what, hopefully this should cover it:

sudo apt-get install gcc build-essential make cmake autoconf git automake libtool

this can probably be done with several ssl backends, but since i'm most familiar with OpenSSL, i'll proceed with OpenSSL, to build openssl go to the openssl repo at https://github.com/openssl/openssl and find an appropriate openssl version, in this example i chose version 1.1.1c (which is the latest stable openssl release as of writing),

git clone -b 'OpenSSL_1_1_1c' --single-branch --depth 1 https://github.com/openssl/openssl
cd openssl
./config no-shared enable-ssl2 enable-ssl3 enable-ssl3-method
make -j $(nproc)

(the last step may take a while) but openSSL's build script does not create a lib folder, but curl's build script expect the lib files to be in a lib folder inside the openssl folder, so after the make, run

mkdir lib
cp *.a lib;

once that's done, it's time to make curl, so cd .. out of there and clone a recent version of curl, in this example i use curl 7.65.0 (latest curl release as of writing),

git clone -b 'curl-7_65_0' --single-branch --depth 1 https://github.com/curl/curl.git
cd curl
./buildconf
LDFLAGS="-static" ./configure --with-ssl=$(realpath ../openssl) --disable-shared  --enable-static
make -j $(nproc)

(if you wonder why i used realpath: there appears to be a bug in curl's buildscript that makes it fail if you supply a relative path, so an absolute path is required, it seems. if you wonder why i made a static build aka --disable-shared --enable-static, you may have a different libopenssl library in your $PATH, so to avoid a conflict with ubuntu's built-in libopenssl, a static build is safer.)

and finally,

/temp2/curl# ./src/curl --sslv3 https://google.com
curl: (35) error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version

(because https://google.com no longer supports sslv3, at all.)

update: TL;DR steps for somewhat newer versions of curl+openssl:

git clone -b 'OpenSSL_1_1_1g' --single-branch --depth 1 https://github.com/openssl/openssl
cd openssl
./config no-shared enable-ssl2 enable-ssl3 enable-ssl3-method
make -j $(nproc)
mkdir lib
cp *.a lib;
cd ..
git clone -b 'curl-7_71_1' --single-branch --depth 1 https://github.com/curl/curl.git
cd curl
./buildconf
LDFLAGS="-static" ./configure --with-ssl=$(realpath ../openssl) --disable-shared  --enable-static
make -j $(nproc)
./src/curl --sslv3 https://google.com