Skip to content

Fix old tls connections

ThierryFR requested to merge fix-old-tls-connections into master

Search for the TLS version used by the device, then force the TLS version if necessary.

For Canon XK90 : By default, curl fails to connect.

$ curl -vk https://192.168.0.108/eSCL/ScannerCapabilities
*   Trying 192.168.0.108:443...
* Connected to 192.168.0.108 (192.168.0.108) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /usr/local/share/certs/ca-root-nss.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, handshake failure (552):
* error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
* Closing connection 0
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

But with "--tls-max 1.0" or "--tls-max 1.1", curl can connect to XK90. With "--tls-max 1.2" and "--tls-max 1.3", curl returns the same error described above.

$ curl -vk --tls-max 1.1 https://192.168.0.108/eSCL/ScannerCapabilities
*   Trying 192.168.0.108:443...
* Connected to 192.168.0.108 (192.168.0.108) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /usr/local/share/certs/ca-root-nss.crt
*  CApath: none
* TLSv1.1 (OUT), TLS handshake, Client hello (1):
* TLSv1.1 (IN), TLS handshake, Server hello (2):
* TLSv1.1 (IN), TLS handshake, Certificate (11):
* TLSv1.1 (IN), TLS handshake, Server finished (14):
* TLSv1.1 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.1 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.1 (OUT), TLS handshake, Finished (20):
* TLSv1.1 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.1 / AES256-SHA
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=192.168.0.108
*  start date: Jan  1 00:00:00 2019 GMT
*  expire date: Dec 31 23:59:59 2038 GMT
*  issuer: CN=CanonIJProductF8A26DA2A5240001
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET /eSCL/ScannerCapabilities HTTP/1.1
> Host: 192.168.0.108
> User-Agent: curl/7.79.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< MIME-Version: 1.0
< Transfer-Encoding: chunked
< Content-Type: text/xml
< Connection: close
(snip)
* TLSv1.1 (IN), TLS alert, close notify (256):
* TLSv1.1 (OUT), TLS alert, close notify (256):
$

FYI, Firefox (91.3.0esr and 95.0) can connect to XK90 with TLS1.2.

Edited by ThierryFR

Merge request reports