Why can I access a website using Firefox or WGET, but I can't using CURL or Ruby

Question

When I try to access to this website I've different result depending on the tool I use: CURL and Ruby's Net::HTTP module both returns a SSLError wrong signature type. Although I haven't exhaustively test every mean to access it, I'm wondering what causes this difference. My guess is a different support of TLS, as if some tool was more tolerant when facing old TLS versions.

Some additionnal informations:

• Local machine : Linux debian 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 GNU/Linux
• Local machine OpenSSL version : OpenSSL 1.1.1d 10 Sep 2019
• Server's encryption: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 256bit keys, TLS 1.
• Server's most likely SSL/TLS implementation (using tls_prober)

                                 OpenSSL 1.0.1e-48.el6_8.1 RHEL 6:  95.93%
                             OpenSSL 1.0.1e-42.el6_7.4 RHEL 6.7.z:  95.93%
                          OpenSSL 1.0.1e-30.el6_6.12 RHEL 6.6.AUS:  95.93%
                              OpenSSL 1.0.1h default source build:  95.83%
                          OpenSSL 1.0.1e-16.el6_5.16 RHEL 6.5.AUS:  92.88%
                               OpenSSL 1.0.1 default source build:  92.54%
                                   OpenSSL 1.0.1k Debian 8 Apache:  91.67%
                              OpenSSL 1.0.1g default source build:  91.67%
                               OpenSSL 1.0.2 default source build:  90.51%
                              OpenSSL 1.0.1a default source build:  87.50%

Could anyone give me a high level explanation of why some tools gets a 200OK, while others returns a SSLError 'wrong signature type' ?

Answer 1

The difference between your common web browser and CURL (and some others) is the usage of SNI (Server Name Indication). To summarize, SNI is an information the client will send in the request to tell the server which domain he is reaching, it allow you to configure multiple website on the same IP address, but also different certificates.

From SSLLab test on your website, the certificate for your domain (given when using SNI) is good, but the default one (when SNI is not provided) is invalid. This is why you have an error only on specific software.

So you need to fix the default certificate, by using a valid one for the default website (if this server is hosting multiple website), or the same (if you have only this website on this server).