How to compile Curl with legacy SSL support on Ubuntu?

痴心易碎 提交于 2019-12-20 04:23:12

问题


I have the following error, when attempting to connect to an old HTTPS-enabled web site using Curl:

curl https://10.11.1.44
curl: (35) error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol

More verbosely:

* Expire in 0 ms for 6 (transfer 0x55a4192abdd0)
*   Trying 10.11.1.44...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x55a4192abdd0)
* Connected to 10.11.1.44 (10.11.1.44) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS alert, protocol version (582):
* error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
* Closing connection 0
curl: (35) error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol

If I try to use the --ssl2 or --ssl3 options, I get the following error:

root@kali:~# curl https://10.11.1.44/ --sslv2
curl: (4) OpenSSL was built without SSLv2 support
root@kali:~# curl https://10.11.1.44/ --sslv3
curl: (4) OpenSSL was built without SSLv3 support

I've consulted the following page for how to build Curl with SSL2/3 support, but I'm not sure how to enable it?

https://curl.haxx.se/docs/install.html

Any ideas?


回答1:


you'll need to compile both curl and your ssl backend from source, obviously you'll need a C compiler, and probably more stuff but idk what, hopefully this should cover it:

sudo apt-get install gcc build-essential make cmake autoconf git automake

this can probably be done with several ssl backends, but since i'm most familiar with OpenSSL, i'll proceed with OpenSSL, to build openssl go to the openssl repo at https://github.com/openssl/openssl and find an appropriate openssl version, in this example i chose version 1.1.1c (which is the latest stable openssl release as of writing),

git clone -b 'OpenSSL_1_1_1c' --single-branch --depth 1 https://github.com/openssl/openssl
cd openssl
./config no-shared enable-ssl2 enable-ssl3 enable-ssl3-method
make -j $(nproc)

(the last step may take a while) but openSSL's build script does not create a lib folder, but curl's build script expect the lib files to be in a lib folder inside the openssl folder, so after the make, run

mkdir lib
cp *.a lib;

once that's done, it's time to make curl, so cd .. out of there and clone a recent version of curl, in this example i use curl 7.65.0 (latest curl release as of writing),

git clone -b 'curl-7_65_0' --single-branch --depth 1 https://github.com/curl/curl.git
cd curl
./buildconf
LDFLAGS="-static" ./configure --with-ssl=$(realpath ../openssl) --disable-shared  --enable-static
make -j $(nproc)

(if you wonder why i used realpath: there appears to be a bug in curl's buildscript that makes it fail if you supply a relative path, so an absolute path is required, it seems. if you wonder why i made a static build aka --disable-shared --enable-static, you may have a different libopenssl library in your $PATH, so to avoid a conflict with ubuntu's built-in libopenssl, a static build is safer.)

and finally,

/temp2/curl# ./src/curl --sslv3 https://google.com
curl: (35) error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version

(because https://google.com no longer supports sslv3, at all.)



来源:https://stackoverflow.com/questions/56377171/how-to-compile-curl-with-legacy-ssl-support-on-ubuntu

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!