Dienstverlenging
Professionals
Recently I had a stange situation. With my browser I was able to open the health check of a legacy webservice but curl (and the PHP application that used libcurl) was unable to reach it. Also running curl in Docker ended up with the same error: unsupported protocol.
Based on the error, I got the scary feeling that the webservice is using an old version of the SSL protocol (for example TLS 1.1). So I used the OpenSSL client to check which SSL protocol was supported. TLS 1.0 was the best available option. Specifying the --tlsv1.0 and --insecure option in my curl request did not solve anything.
After diving in deeper I learned that the OpenSSL library (that is used by curl) has is own configuration file and that this file is not located in /etc but in /usr/lib/ssl/openssl.conf (Debian based distros). In the file I found the following configuration line:
MinProtocol = TLSv1.2
After changing the MinProtocol to TLSv1.0 curls works like a charm!
A critical note: Using older protocols should never be your first choice. Changing the MinProtocol version option allows your applications (with OpenSSL bindings) to connect in an insecure way to all endpoints. In this situation the legacy application was only reachable via a site-to-site VPN, but changing this option also impacts the connection to all other endpoints and applications.
For RHEL based distro's the file seems to be located in /etc/pki/tls/openssl.cnf (I havent tested this).
For people who are using a Docker image based on Debian you will find the same location inside your container. Change the setting via some commands in your Dockerfile.