Curl gives error on XP, when downloading via TLS

0

I'm using curl to download the image. On win7 it works but on XP it gives a message:

(35) schannel: next InitializeSecurityContext failed: SEC_E_ILLEGAL_MESSAGE (0x80090326) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System even t log.

I have read all available info on the internet and found out that it relates to error in a Windowx XP TLS API function. There must be a bug in implementation. Although how can Google Chrome access this resource? Dos it uses it's own TLS functions or uses Windows API for TLS negotiation? Here is an example:

curl -L -o "sub.jpg" "https://icdn.lenta.ru/images/2016/11/12/13/20161112133708253/pic_b3e542f41dea3569d80375712d111d6d.jpg"
ssl
curl
asked on Stack Overflow Nov 12, 2016 by zulunation

1 Answer

1

The TLS stack on Windows XP is very old and does not support among other things TLS 1.2 or SNI, has no support for ECDHE and very limited support for DHE. Given the error message curl uses this stack (schannel). You will probably get the same error with IE on XP which is using the native TLS stack SChannel too. In fact the SSLLabs report points out problems with IE8 on XP. From this report it is also visible which ciphers the site support and if you compare this with the ciphers offered by IE8/XP and probably also curl/SChannel you will find no overlap, i.e. no shared ciphers.

Contrary to this both Firefox and Chrome don't use the native TLS stack but instead use their own (NSS) which provides modern features. This explains why these work with the site.

answered on Stack Overflow Nov 12, 2016 by Steffen Ullrich • edited Nov 12, 2016 by Steffen Ullrich

User contributions licensed under CC BY-SA 3.0