From the libCurl dev page (https://curl.se/libcurl/c/libcurl-errors.html), almost all "easy" interface functions return a CURLcode error code. In case of https request, you may encounter an error message of "curl error 35, SSL connect error", the error is indicated by the error code of:
CURLE_SSL_CONNECT_ERROR (35)
A problem occurred somewhere in the SSL/TLS handshake. You really want the error buffer and read the message there as it pinpoints the problem slightly more. Could be certificates (file formats, paths, permissions), passwords, and others.
Triage Steps:
Check Error Messages:
- Look at the error messages provided by libCurl or the programming language (C++/Python). These messages often contain valuable information about the SSL error.
Verify SSL Library Version:
- Ensure that the version of libCurl you are using supports the SSL/TLS version required by the server. Sometimes, the server might require a specific SSL/TLS version that your libCurl version doesn't support.
Check SSL Certificate:
- Verify that the SSL certificate of the server is valid and not expired. You can use tools like OpenSSL to check the server's SSL certificate.
Verify URL and Port:
- Double-check the URL and port you are connecting to. Ensure that you are using the correct protocol (e.g.,
https://for SSL/TLS).
- Double-check the URL and port you are connecting to. Ensure that you are using the correct protocol (e.g.,
Troubleshooting Steps:
Enable libCurl Debug Output:
Set the
CURLOPT_VERBOSEoption to true in libCurl. This will provide detailed information about the SSL handshake process and errors.curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
Check for CA Certificates:
- Ensure that your libCurl installation includes the necessary CA certificates. Some systems require you to have the CA certificates bundle for SSL verification.
Update libCurl:
- Make sure you are using an up-to-date version of libCurl. SSL libraries and protocols are regularly updated, and using an outdated version might cause compatibility issues.
Check Server Configuration:
- Verify the SSL/TLS configuration on the server. It might be configured to use a specific cipher suite or protocol version that your client does not support.
Inspect Network Traffic:
- Use a tool like Wireshark to inspect the network traffic between your client and the server. This can help identify any issues during the SSL handshake.
- ✅ A most common cause is that there is some firewall which intercepts any request from the clients, and server never got the TLS handshake.
Resolving the Issue:
Update SSL Libraries:
- Ensure that you have the latest version of SSL libraries (such as OpenSSL) installed on your system. Some SSL-related issues can be resolved by updating these libraries.
Install CA Certificates:
- If your libCurl installation does not include CA certificates, download and install them. You can usually find a CA certificates bundle from the libCurl website or your operating system's package manager.
Set SSL Version:
If the server requires a specific SSL/TLS version, set the
CURLOPT_SSLVERSIONoption in libCurl to the desired version.curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
Disable SSL Verification (Temporarily):
As a last resort, you can disable SSL certificate verification to see if the issue is related to the certificate. However, this should be done cautiously as it exposes you to security risks.
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
Remember that disabling SSL verification should only be done for troubleshooting purposes and is not recommended for production code.
By following these steps, you should be able to identify and resolve SSL-related issues with libCurl in C++ or Python. If the problem persists, the detailed error messages and debug output should provide more specific information for further investigation.
No comments:
Post a Comment