Unknown SSL protocol error in connection to rs.rustup.rs

[lenaschoenburg]

When trying to run curl https://sh.rustup.rs -sSf | sh as taken from the the website, curl errors with curl: (35) Unknown SSL protocol error in connection to sh.rustup.rs:443

$ curl -V
curl 7.37.1 (x86_64-apple-darwin14.0.0) libcurl/7.37.1 OpenSSL/0.9.8} zlib/1.2.5 libidn/1.26
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smtp smtps telnet tftp
Features: IDN IPv6 Largefile NTLM NTLM_WB SSL libz

Same error for https://www.rustup.rs but not for https://static.rust-lang.org/rustup.sh

[brson]

This is likely connected to our use of Let's Encrypt for certs on this site.

[brson]

This is probably caused by an old version of curl trying to establish an SSLv3 connection, which is disabled as insecure on our server. I wonder if there's some other utility on these older macs that we can fall back to.

Actually, short of using insecure SSL revisions there's probably nothing we can do here. We can't know ahead of time the user has an old curl. If there was some alternative to curl available on all macs we could use it unconditionally, but I can't imagine there's a better curl just sitting around waiting for us to discover it.

[brson]

Our backend could possibly look at the request header to detect old curls and return a custom error.

[simonrw]

I don't think it's the version of curl that's the problem - I have the same issue on SLES11 with a fresh curl version 7.49.1. I would imagine it's a problem with openssl rather than curl itself?

[ereichert]

I think I just ran into this same thing on a CentOS 6.7 box.

curl https://sh.rustup.rs -sSf | sh
curl: (35) SSL connect error

Update curl:

curl --version
curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

Same result.

[Boscop]

I get the same error.
curl 7.22.0 (x86_64-unknown-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.0e zlib/1.2.5 c-ares/1.7.5 libidn/1.22 libssh2/1.2.9

What should I do?
Is https://static.rust-lang.org/rustup.sh the same as https://sh.rustup.rs ?

[simonrw]

I found a workaround, which I'm sorry I should have posted when I found it. I downloaded the mozilla ca-certificates bundle from the curl website to a location on disk, then set the SSL_CERT_FILE environment variable pointing to this file location.

I am not a security expert and have no idea if this is a good idea, but I've seen bundled certificate files before e.g. with conda and requests which suggests it's an ok practice. Also I downloaded the certificate using curl from the curl page over https.

[Boscop]

I used another workaround, I downloaded the shell script to my computer and uploaded it to the server via SCP...

[kwlzn]

I'm also seeing this on centos5:

[kw@localhost pants]$ curl -v https://sh.rustup.rs
* About to connect() to sh.rustup.rs port 443
*   Trying 54.215.0.2... connected
* Connected to sh.rustup.rs (54.215.0.2) port 443
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
Unknown SSL protocol error in connection to sh.rustup.rs:443 
* Closing connection #0
curl: (35) Unknown SSL protocol error in connection to sh.rustup.rs:443 
[kw@localhost pants]$ curl -v --sslv2 https://sh.rustup.rs
* About to connect() to sh.rustup.rs port 443
*   Trying 54.215.0.2... connected
* Connected to sh.rustup.rs (54.215.0.2) port 443
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSLv2, Client hello (1):
Unknown SSL protocol error in connection to sh.rustup.rs:443 
* Closing connection #0
curl: (35) Unknown SSL protocol error in connection to sh.rustup.rs:443
[kw@localhost pants]$ curl -V
curl 7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
Protocols: tftp ftp telnet dict ldap http file https ftps 
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz 

even with a newly built curl:

[kw@localhost curl-7.51.0]$ curl -V
curl 7.51.0 (x86_64-pc-linux-gnu) libcurl/7.51.0 OpenSSL/0.9.8b zlib/1.2.3
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 
Features: IPv6 Largefile NTLM NTLM_WB SSL libz UnixSockets 
[kw@localhost curl-7.51.0]$ curl https://sh.rustup.rs/ -sSf -v
*   Trying 54.215.0.2...
* TCP_NODELAY set
* Connected to sh.rustup.rs (54.215.0.2) port 443 (#0)
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.0 (OUT), TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to sh.rustup.rs:443 
* Curl_http_done: called premature == 1
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to sh.rustup.rs:443 

and I've tried upgrading the cert bundles to no avail.

[kwlzn]

fwiw, rebuilding curl against a newer version of openssl repairs the issue for me:

$ ./src/curl -V
curl 7.51.0 (x86_64-pc-linux-gnu) libcurl/7.51.0 OpenSSL/1.0.2h zlib/1.2.3
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 
Features: IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP UnixSockets 

[expobrain]

Unfortunately it's not always possible to recompile curl

[kwlzn]

right, but it points to the older openssl version as the cause of the client failure on older platforms - and not something easily flaggable/configurable like the protocol version, ssl certs, etc.

[sanmai-NL]

Also solved by #1716.

[kinnison]

I believe centos6 is the oldest thing we now support and we've not had similar reports on that, so I'm closing this. If a similar issue still remains for you, please open a fresh issue.