dowm41315 2015-02-09 20:57
浏览 350

如何调试或修复cURL errno 35

I am trying to make a cURL request in PHP to a URL. Whatever I try I always get a cURL errno 35 (for a specific URI). The curl documentation has the following to say:

You really want the error buffer and read the message there as it pinpoints the problem slightly more. Could be certificates (file formats, paths, permissions), passwords, and others.

However when trying to capture this information nothing seems to be returned.

$client = curl_init('https://dev.kelunik.com/css/all.min.css')

$log = fopen('/srv/www/Requestable/data/curl-log.txt', 'a+');

curl_setopt($client, CURLOPT_VERBOSE, 1);
curl_setopt($client, CURLOPT_STDERR, $log);
curl_setopt($client, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($client, CURLOPT_SSL_VERIFYHOST, 2)
curl_setopt($client, CURLOPT_CAINFO, __DIR__ . '/../../../../data/default.pem');
curl_setopt($client, CURLOPT_FAILONERROR, false);
curl_setopt($client, CURLOPT_RETURNTRANSFER, true);
curl_setopt($client, CURLOPT_HEADER, true);
curl_setopt($client, CURLINFO_HEADER_OUT, true);
curl_setopt($client, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($client, CURLOPT_CUSTOMREQUEST, 'GET');
curl_setopt($client, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_1);

if (!$response = curl_exec($client)) {
    throw new CurlException('Making request failed: ' . curl_error($client) . '(' . curl_errno($client) . ')');
}

fclose($log);

The above code always throws the CurlException with errno 35, however the defined log file stays empty.

When trying a different URI (with a certificate from the same CA) it just works ™. I also checked my root CA bundle which is fairly up2date:

Certificate data from Mozilla downloaded on: Wed Sep 3 03:12:03 2014

What else can I check to find out what in specific is causing the error?

Note: the URI can be requested both from a browser as well as from my local dev environment just fine

Note 2: I also tried it without manually setting a custom CA root bundle which resulted in the same error.

OpenSSL version:

Installed Packages
Name        : openssl
Arch        : x86_64
Version     : 1.0.1e
Release     : 30.el6_6.5

cURL version:

curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz
  • 写回答

2条回答 默认 最新

  • dpb75177 2015-02-09 22:42
    关注

    The problem is unrelated to your certificate chains, it's the server configuration at dev.kelunik.com. The server is only accepting ECDHE ciphers (ssllabs). The other server accepts a wider range of ciphers. (ssllabs). While your OpenSSL supports ECDHE, the version of cURL you're using is compiled with NSS, which doesn't.

    You can compare the output with 

    curl https://dev.kelunik.com

    and 

    openssl s_client -connect dev.kelunik.com:443 -servername dev.kelunik.com

    You've got two solutions here without changing your distro. If you've got access to the other server's configuration, you can change the SSL ciphers to use DHE/RSA ciphers. The exact cipher list would depend on the server configuration - ssllabs has a good blog post on the subject.

    Otherwise, you'll need to recompile cURL against OpenSSL to access all available ciphers. Basic instructions are available at http://curl.haxx.se/docs/install.html.

    评论

报告相同问题?

悬赏问题

  • ¥15 数学建模招标中位数问题
  • ¥15 phython路径名过长报错 不知道什么问题
  • ¥15 深度学习中模型转换该怎么实现
  • ¥15 HLs设计手写数字识别程序编译通不过
  • ¥15 Stata外部命令安装问题求帮助!
  • ¥15 从键盘随机输入A-H中的一串字符串,用七段数码管方法进行绘制。提交代码及运行截图。
  • ¥15 TYPCE母转母,插入认方向
  • ¥15 如何用python向钉钉机器人发送可以放大的图片?
  • ¥15 matlab(相关搜索:紧聚焦)
  • ¥15 基于51单片机的厨房煤气泄露检测报警系统设计