2 - Way SSL - curl: (35) Unknown SSL protocol error in connection to **.com :443

Not applicable

Trying to Configure the 2 way ssl on private Colud

1. uploaded the client public cert to the Trust store

2. configured the Secure Virtual Host for API Proxy

when I am doing Curl to test the API Proxy.. getting the following error ..

*   Trying x.x.140.120...
* Connected to api.mydomain.com (x.x.140.120) port 443 (#0)
* TLSv1.0, TLS handshake, Client hello (1):
* TLSv1.0, TLS handshake, Server hello (2):
* TLSv1.0, TLS handshake, CERT (11):
* TLSv1.0, TLS handshake, Server key exchange (12):
* TLSv1.0, TLS handshake, Request CERT (13):
* TLSv1.0, TLS handshake, Server finished (14):
* TLSv1.0, TLS handshake, CERT (11):
* TLSv1.0, TLS handshake, Client key exchange (16):
* TLSv1.0, TLS change cipher, Client hello (1):
* TLSv1.0, TLS handshake, Finished (20):
* Unknown SSL protocol error in connection to api.mydomain.com:443
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to api.mydomain.com:443

I appreciate any suggestions.. what am i missing

0 5 19.7K
5 REPLIES 5

Not applicable

I am trying to do 2 way SSL between my clinet --------> Edge

Hi @rcgade,

A few questions:

Would you please post the VirtualHost configuration?

What version of cURL and Openssl are you using on your client?

Are you using cURL's built-in --cert and --key arguments to provide the Client-SSL cert and key to Edge?

If you are using Edge Cloud, we can get more specific (org name, host alias, cert details, etc) via a Support case, then we can post the solution after the fact with the specific details removed.

Please let us know. Thanks!

Not applicable

I don't have the virtual host config with me. We already have an API Proxy working on the same secure virtual host and its working.

We have added the new client public key into the same virtual host trust store.

Th CURL version

curl 7.30.0 (i386-pc-win32) libcurl/7.30.0 OpenSSL/0.9.8{ zlib/1.2.7 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smtp smtps telnet tftp

I am using CURL's built-in --cert and --key arguments to provide the Client-SSL

We have on premise hosted Apigee. Thanks for your help.

Virtual Host Config

External VIP : api.mydomain.com

Port : 443

Virtual Host : Secure

Port : 9002

Key alias : api _staging_MYDOMAIN_com

Not applicable

I tried calling the same api using the openssl s_client and following is the result:

c:\openssl>openssl s_client -connect api.mydomain.com:443 -CAfile "C:\cert\CaBundle.pem" -key "C:\cert\client.key" -pass "pass:password" -cert "C:\cert\client.pem" -tls1
Loading 'screen' into random state - done
CONNECTED(00000554)
depth=3 /C=IE/O=XXXX/OU=CyberTrust/CN=XXXX CyberTrust Root
verify return:1
depth=2 /C=US/O=XXXXX/OU=Information Security/CN= XXXX
verify return:1
depth=1 /C=US/ST=XX/L=XXX/O=XXXX/OU=Information Security/CN=xxxxxx.com
verify return:1
depth=0 /C=US/ST=XX/L=XXXXX/O=xxxxxx/OU=xx/CN=xxxxx.com
verify return:1
4548:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:.\ssl\s3_pkt.c:539:

Please let me know.. if you need any more information