Libcurl 7.70.0 - error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

0
votes

I receive the following error, when attempting ssl with my server, using libcurl 7.70.0 Full log:

  • Trying ::1:443...
  • Trying 127.0.0.1:443...
  • Connected to localhost (127.0.0.1) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: ../../certs.pem CApath: none
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.0 (IN), TLS handshake, Certificate (11):
  • TLSv1.0 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.0 (IN), TLS handshake, Request CERT (13):
  • TLSv1.0 (IN), TLS handshake, Server finished (14):
  • TLSv1.0 (OUT), TLS handshake, Certificate (11):
  • TLSv1.0 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.0 (OUT), TLS handshake, CERT verify (15):
  • TLSv1.0 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.0 (OUT), TLS handshake, Finished (20):
  • TLSv1.0 (IN), TLS alert, illegal parameter (559):
  • error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter
  • Closing connection 0

Any ideas, what can cause the issue?

2
sslcurllibcurl

2 Answers

0
votes

It can cause this if there is a bug in the OpenSSL your curl is using, so that it sends an invalid handshake message. It is very unlikely such a bug exists in upstream OpenSSL, which is used by thousands of programs at least and exercised by probably billions of users, but it might have been introduced if you are using a version that you yourself built or someone else built nonstandardly.

It can cause this if there is a bug in the server and it is either wrongly aborting the handshake, or rightly aborting the handshake but using the wrong alert code. In particular it might be that the server doesn't like something about the cert (chain) your client sent, and should have used one of several alert codes indicating a certificate problem, but it used illegal_parameter(47) instead. The best thing is to look in the server log(s) to see what it thinks the problem is, and/or since it is local debug it.

0
votes

Problem was that I was using a certificate not trusted by the server.