How to compile Curl with legacy SSL support on Ubuntu?

Question

I have the following error, when attempting to connect to an old HTTPS-enabled web site using Curl:

curl https://10.11.1.44
curl: (35) error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol

More verbosely:

* Expire in 0 ms for 6 (transfer 0x55a4192abdd0)
*   Trying 10.11.1.44...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x55a4192abdd0)
* Connected to 10.11.1.44 (10.11.1.44) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS alert, protocol version (582):
* error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
* Closing connection 0
curl: (35) error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol

If I try to use the --ssl2 or --ssl3 options, I get the following error:

root@kali:~# curl https://10.11.1.44/ --sslv2
curl: (4) OpenSSL was built without SSLv2 support
root@kali:~# curl https://10.11.1.44/ --sslv3
curl: (4) OpenSSL was built without SSLv3 support

I've consulted the following page for how to build Curl with SSL2/3 support, but I'm not sure how to enable it?

https://curl.haxx.se/docs/install.html

Any ideas?

Answer 1

Update: curl dropped support for --sslv2 / sslv3 sometime after curl version 7.76.1 was released, so you must make sure to also compile curl version 7.76.1 or older. instructions has been updated to make sure curl 7.76.1 is generated. (thanks to Matias Barros for the update)

you'll need to compile both curl and your ssl backend from source, obviously you'll need a C compiler, and probably more stuff but idk what, hopefully this should cover it:

sudo apt-get install gcc build-essential make cmake autoconf git automake libtool

this can probably be done with several ssl backends, but since i'm most familiar with OpenSSL, i'll proceed with OpenSSL, to build openssl go to the openssl repo at https://github.com/openssl/openssl and find an appropriate openssl version, in this example i chose version 1.1.1k (which is the latest stable openssl release as of writing),

git clone -b 'OpenSSL_1_1_1k' --single-branch --depth 1 https://github.com/openssl/openssl
cd openssl
./config no-shared enable-ssl2 enable-ssl3 enable-ssl3-method
make -j $(nproc)

(the last step may take a while) but openSSL's build script does not create a lib folder, but curl's build script expect the lib files to be in a lib folder inside the openssl folder, so after the make, run

mkdir lib
cp *.a lib;

once that's done, it's time to make curl, so cd .. out of there and clone the last version of curl supporting the --sslv2 / --sslv3 switches 7.76.1,

git clone -b 'curl-7_76_1' --single-branch --depth 1 https://github.com/curl/curl.git
cd curl
./buildconf
LDFLAGS="-static" ./configure --with-ssl=$(realpath ../openssl) --disable-shared  --enable-static
make -j $(nproc)

(if you wonder why i used realpath: there appears to be a bug in curl's buildscript that makes it fail if you supply a relative path, so an absolute path is required, it seems. if you wonder why i made a static build aka --disable-shared --enable-static, you may have a different libopenssl library in your $PATH, so to avoid a conflict with ubuntu's built-in libopenssl, a static build is safer.)

and finally,

/temp2/curl# ./src/curl --sslv3 https://google.com
curl: (35) error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version

(because https://google.com no longer supports sslv3, at all.)

TL;DR

git clone -b 'OpenSSL_1_1_1k' --single-branch --depth 1 https://github.com/openssl/openssl
cd openssl
./config no-shared enable-ssl2 enable-ssl3 enable-ssl3-method
make -j $(nproc)
mkdir lib
cp *.a lib;
cd ..
git clone -b 'curl-7_76_1' --single-branch --depth 1 https://github.com/curl/curl.git
cd curl
./buildconf
LDFLAGS="-static" ./configure --with-ssl=$(realpath ../openssl) --disable-shared  --enable-static
make -j $(nproc)
./src/curl --sslv3 https://google.com

Answer 2

The error "protocol version (582)" means the server supports max TLSv1.0.

TLSv1.0 is deprecated and disabled in latest distro's (e.g. Ubuntu 19+, Debian Buster+).

Specifying --tlsv1.0 curl argument won't help, as the protocols are disabled in OpenSSL.

Either upgrade the server to which you're connecting (preferred),

... or enable TLSv1.0 in /etc/openssl.cnf:

[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=2

change to

[system_default_sect]
MinProtocol = TLSv1.0
CipherString = DEFAULT@SECLEVEL=1

Note: SECLEVEL=1 enables SHA-1 and allows the RSA key to be less than 2048 bits (will probably be needed to connect to old servers).

(no need to recompile anything)