Fixing curl SSLv3 Handshake Failure: Solutions for Legacy RC4-SHA Cipher Compatibility Issues


2 views

When attempting to connect to https://www.lawsociety.com.au using modern curl versions on Windows, you may encounter:

error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

This occurs because the server enforces RC4-SHA cipher (a legacy encryption method) while modern OpenSSL versions disable it by default.

The root cause becomes clear when examining the server's SSL configuration:

$ openssl s_client -connect www.lawsociety.com.au:443
New, TLSv1/SSLv3, Cipher is RC4-SHA
Protocol  : TLSv1
Cipher    : RC4-SHA

Modern security standards consider RC4 insecure, leading to its removal from OpenSSL 1.1.0+ default cipher lists.

Option 1: Downgrade OpenSSL Version

Install curl with OpenSSL 1.0.2 (which still supports RC4):

# Windows (using Chocolatey)
choco install curl --version=7.57.0-openssl_1.0.2

# Linux
sudo apt-get install libssl1.0-dev
wget https://curl.haxx.se/download/curl-7.64.0.tar.gz
tar -xzf curl-7.64.0.tar.gz
cd curl-7.64.0
./configure --with-ssl
make
sudo make install

Option 2: Python Workaround

For Python developers needing temporary access:

import ssl
import urllib.request

# Create custom SSL context
ctx = ssl.SSLContext(protocol=ssl.PROTOCOL_TLSv1)
ctx.set_ciphers('RC4-SHA')

try:
    with urllib.request.urlopen(
        'https://www.lawsociety.com.au/',
        context=ctx,
        timeout=10
    ) as response:
        print(response.read().decode('utf-8'))
except Exception as e:
    print(f"Connection failed: {str(e)}")

While these solutions work, they compromise security. Consider:

  • Contacting the website administrator to upgrade their SSL configuration
  • Using alternative endpoints if available
  • Limiting these insecure connections to non-sensitive data

For temporary testing without modifying your system:

# Dockerfile
FROM ubuntu:16.04

RUN apt-get update && \
    apt-get install -y curl openssl libssl1.0.0

CMD ["curl", "-v", "https://www.lawsociety.com.au"]

Build and run:

docker build -t legacy-curl .
docker run --rm legacy-curl

When attempting to connect to https://www.lawsociety.com.au using curl on Windows, many developers encounter the frustrating error:

error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

This typically occurs when there's a protocol or cipher suite mismatch between the client and server. In our case, the Ubuntu machine succeeds because it's using an older OpenSSL version that supports legacy protocols.

The website in question is using outdated security settings:

  • Protocol: TLS 1.0
  • Cipher: RC4-SHA (considered insecure and disabled in modern OpenSSL)

Modern versions of OpenSSL (1.1.0+) have removed support for RC4 ciphers due to security vulnerabilities. This explains why the same curl command works on Ubuntu (likely using OpenSSL 1.0.2) but fails on Windows with OpenSSL 1.1.0.

You can inspect the server's SSL configuration using OpenSSL's s_client:

openssl s_client -connect www.lawsociety.com.au:443 -servername www.lawsociety.com.au -tls1

The output will show the negotiated protocol and cipher suite. For this site, you'll typically see:

Protocol  : TLSv1
Cipher    : RC4-SHA

Option 1: Downgrade curl/OpenSSL

The simplest solution is to use an older version of curl that links against OpenSSL 1.0.2:

# On Windows, download curl 7.50.0 (with OpenSSL 1.0.2)
curl -V
# Should show OpenSSL/1.0.2...

Option 2: Force Legacy Protocols in curl

For newer curl versions, you can try forcing older protocols:

curl --tlsv1.0 --tls-max 1.0 https://www.lawsociety.com.au

Note: This may still fail if the cipher suite is disabled at the OpenSSL level.

Option 3: Python Workaround

For Python applications, you can create a custom SSL context:

import ssl
import urllib.request

# Create legacy-compatible context
ctx = ssl.SSLContext(protocol=ssl.PROTOCOL_TLSv1)
ctx.set_ciphers('RC4-SHA:RC4-MD5')

try:
    with urllib.request.urlopen('https://www.lawsociety.com.au/', context=ctx) as response:
        print(response.read().decode('utf-8'))
except Exception as e:
    print(f"Error: {e}")

While these solutions work, they come with significant security implications:

  • RC4 has been deprecated since 2015 due to cryptographic weaknesses
  • TLS 1.0 reached end-of-life in 2021
  • These configurations may violate compliance standards (PCI DSS, HIPAA, etc.)

The ideal solution is to contact the website administrators and request they update their SSL configuration to support modern protocols (TLS 1.2+) and secure cipher suites.

If you control the client environment, consider these more secure alternatives:

# Use a proxy server that can handle legacy SSL
curl --proxy http://legacy-ssl-proxy:8080 https://www.lawsociety.com.au

# Or use a translation service like NGINX:
server {
    listen 443 ssl;
    server_name proxy.example.com;
    
    ssl_protocols TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!MD5;
    
    location / {
        proxy_pass https://www.lawsociety.com.au;
        proxy_ssl_protocols TLSv1;
        proxy_ssl_ciphers RC4-SHA;
    }
}