Hi Geoff I have hit these SSL/curl errors a few times when building on ubuntu and I saved some notes of how I got it to work. I am not sure I recognize ComSign_CA.pem so maybe you are hitting something a little different - not sure, but here is what I recorded in May: 20190519112839 - Ugh, openssl error with some combination of curl, wget and edbrowse. I did actually find out that it works if you send certain arguments to configure: cd ~ sudo apt-get build-dep curl wget http://curl.haxx.se/download/curl-7.46.0.tar.bz2 tar -xvjf curl-7.46.0.tar.bz2 cd curl-7.46.0 ./configure --with-nghttp2 --with-ssl --with-libssl-prefix=/usr/local/ssl make sudo make install sudo ldconfig 20190519112951 - Basically, you have to build both from source. For curl, you have to use the above. The whole thing is written up at https://askubuntu.com/questions/475670/how-to-build-curl-with-the-latest-openssl/475677
This isn't the problem Geoff was running into; his is much easier to deal with. I know the one you're talking about though; see the README file line 73. You don't need edbrowse to diagnose it; a ssimple test is curl https://weloveanimals.me You get the website or the communication error. curl doesn't fail on too many websites, but if it's the one you really want to go to, well ... And obviously edbrowse can't do a thing about it. I'll add your notes to the README on rebuilding curl from source, if people want to do that, and even I might, cause I also have one of those unfortunate distributions where curl is bound to gnutls instead of openssl. Karl Dahlke
I'm glad we have a little knowledge base going so it can become easier in
the future. I remember you were writing about this a while ago.
On Mon, 2 Sep 2019, Karl Dahlke wrote:
> This isn't the problem Geoff was running into; his is much easier to deal with.
> I know the one you're talking about though; see the README file line 73.
> You don't need edbrowse to diagnose it; a ssimple test is
> curl https://weloveanimals.me
> You get the website or the communication error.
> curl doesn't fail on too many websites, but if it's the one you really want to go to, well ...
> And obviously edbrowse can't do a thing about it.
> I'll add your notes to the README on rebuilding curl from source, if people want to do that, and even I might,
> cause I also have one of those unfortunate distributions where curl is bound to gnutls instead of openssl.
>
> Karl Dahlke
>
Hi Karl, I do not exactly understand your 'gnutls' vs 'openssl'... My Ubuntu 18.04.3 LTS sports - ~/Documents/edbrowse$ curl --version curl 7.58.0 (x86_64-pc-linux-gnu) libcurl/7.58.0 OpenSSL/1.1.1 zlib/1.2.11 libidn2/2.0.4 libpsl/0.19.1 (+libidn2/2.0.4) nghttp2/1.30.0 librtmp/2.3 Release-Date: 2018-01-24 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL which specifically mentions 'OpenSSL/1.1.1'... And using $ ldd /usr/bin/curl ... for SSL it shows - libssl.so.1.1 => /usr/lib/x86_64-linux-gnu/libssl.so.1.1 (0x00007f8f5db4b000) And more ~/Documents/edbrowse$ openssl version OpenSSL 1.1.1 11 Sep 2018 So unsure where 'gnutls' comes into this... As reported - $ curl https://weloveanimals.me seems to work fine for me... But, yes Kevin, having `a little knowledge base going` is always a good thing... be it emails, lists, issues, README, google, whatever... It is always how to organize, such that 'it' can be found, remembered, when next encountered... that is identifying the 'it'... Regards, Geoff.
> I do not exactly understand your 'gnutls' vs 'openssl'... Guess what, neither do I. We convinced ourselves a year ago that was the problem, but ldd clearly shows my curl linking to openssl, and curl https://weloveanimals.me fails on my machine; I switch to another machine, still curl + openssl, and it works. So we still don't understand it at all. I wish we did. Karl Dahlke
Karl Dahlke wrote on Mon, Sep 02, 2019:
> > I do not exactly understand your 'gnutls' vs 'openssl'...
>
> Guess what, neither do I.
> We convinced ourselves a year ago that was the problem, but ldd clearly shows my curl linking to openssl, and
> curl https://weloveanimals.me
> fails on my machine; I switch to another machine, still curl + openssl, and it works.
> So we still don't understand it at all.
> I wish we did.
Hmm, I thought it could be that debian raised the minimum tls version in
/etc/ssl/openssl.cnf a year ago or two (MinProtocol = TLSv1.2 in
[system_default_sect] section of the file), but that website appears to
support older protocols as well if I try to force these with the openssl
s_client command...
I can connect to it just fine using gnutls-cli as well so it might be
something specific to a precise version of debian (tested on a
recent-ish buster).
Possibly the certificate authority (CA) that this website uses is not
bundled by debian? But then I don't see what rebuilding curl would help
you with in that case, Kevin might have had a different issue that
needed him to rebuild curl.
--
Dominique